Agreed. I don't see a reason to disclose anything where the parent is revoked. I think it's a similar question as whether a CA has to disclose all the sub case under a root where removal from the root program was requested. In both cases the certs are not publicly trusted and don't affect the Mozilla community.
> On Jun 21, 2016, at 10:10 AM, Peter Bowen <pzbo...@gmail.com> wrote: > >> On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling <rob.stradl...@comodo.com> >> wrote: >> Revocation of a "parent intermediate" does not exempt "child intermediates" >> from the disclosure requirement, AFAICT. So I think the KBC Group CAs do >> need to be disclosed to Salesforce. > > If all paths from a trusted root to a given intermediate are revoked > or expired, then I don't think it "directly or transitively chain[s] > to a certificate included in Mozilla’s CA Certificate Program". It > would be no different than a private CA which isn't part of the WebPKI > graph. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
