On 4 October 2016 at 06:12, Eric Rescorla <e...@rtfm.com> wrote: > with the exception of the end-entity > certificate which MUST be first.
After testing, this part seems to be the component that stops my idea. I could build paths to arbitrary roots with extra chains contained in the list... but only if the correct leaf was specified first. (Kind of surprised by that, I'd have imagined that be a more common misconfiguration, but I guess not.) Tested with Chrome/Firefox/IE/Edge on Windows 10. (Seems Edge doesn't honor the HSTS hard fail mechanism!) -tom _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy