On Thu, Jul 14, 2016 at 02:52:41AM -0700, Nick Lamb wrote: > On Thursday, 14 July 2016 05:18:20 UTC+1, Andrew Ayer wrote: > > Revocation does not address the risk that this mis-issuance has caused > > to the ecosystem, since collided certificates (the ones we cannot see, > > and need to be worried about) have different serial numbers and > > therefore do not appear revoked. > > if Symantec produced these certificates in a sensible way
That is an *extremely* big "if". - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy