On Tue, Apr 11, 2017 at 11:44 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > The reply indicated that it was a non-browser application. So I understand > that a browser should never see that certificate. >
There's no way to objectively quantify or assess that, however. My question still remains - what are the criteria for determining this, and what process is in place for disagreement about this risk? > The question is, can that certificate be used for authenticating something > it shouldn't? And I guess that's not the case. > No. That is not the question. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy