I think there are two things getting conflated here: 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
2) Disclosure of CA certificates signed by CAs that are the subject of #1 Imagine the following heirarchy: Univercert Root CA (in trust store) --(CA Cert A)--> Aperture Science Corporate Root --(CA Cert B)--> Aperture Science Server CA --(End Entity Cert)--> www.aperature.xa If CA Cert A is revoked, it goes in OneCRL. What about CA Cert B? Does it need to be disclosed? Thanks, Peter On Wed, Jun 22, 2016 at 2:12 PM, Richard Barnes <rbar...@mozilla.com> wrote: > I think the vision is that in the long run, OneCRL would be based on > the Salesforce data. > > Sent from my iPhone. Please excuse brevity. > >> On Jun 22, 2016, at 16:56, Jeremy Rowley <jeremy.row...@digicert.com> wrote: >> >> That's why Mozilla has a policy to disclose all such CAs through OneCRL. >> Seems like unnecessary information to disclose the CA as part of OneCRL and >> as part of the Salesforce program. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy