Kyle, It is one trying to say NSS doesn't let you have multiple certificates with the same issuer and serial, which is factually true, but it's another to suggest this means it pins as you described, which is incorrect speculation.
I appreciate your attention to detail citing X.509, but let's not forget that it assumes the global directory of X.500 - which is a pure fiction that never truly manifest. NSS enforces the fictional, technically non-existent, entirely unreasonable assumption the Disitinguished Names are hierarchal and unique, neither of which is true, and enforces a serial number uniqueness upon that assumption, which can lead to trivial DoS issues for NSS using applications. I mention all of this so that we can ignore the distraction presented by Eddy as to impact of relying parties, and instead focus on the technical conformance that was violated here. These certs won't work in NSS applications simultaneously, and they have to be revoked simultaneously, and both of these are explicitly undesirable. But more importantly, it is not for a CA to decide what violations are acceptable or not acceptable, or what their timeline is going to be for conformance, because otherwise that's indistinguishable from an absence of standards. If there are legitimate concerns with the standards as written, then it's worth publicly discussing to change the standards, but it's not acceptable to ignore them because it is inconvenient to conform, nor is "it's hard" a suitable response to continued misissuance. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy