On Wednesday, 26 October 2016 02:31:07 UTC+1, Ryan Sleevi wrote: > Yes. There is no obligation or expectation, presently communicated, to revoke > extant certificates. Indeed, CAs were adamantly opposed to such a > requirement. So these certificates will still very much be valid.
Ah yes, I had muddled this with the obligation to revoke remaining certificates for non-Internet addresses (e.g. example.corp, 10.20.30.40) at the start of this month for which it's on my TODO list to verify the extent of compliance. So this would be a significant risk. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy