"Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19"
It seems that Apple has taken the explicit white-listed approach despite the size drawback mentioned in the other thread. I know Apple is a OS vendor which probably makes such a deployment easier to implement. But the size of the whitelist is not really a concern over the desktop environment. So I hope Mozilla and Google can have a explicit whitelist approach on desktop while use the notBefore data on mobile to have the stronger safe guard when possible. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy