On 05/16/2017 01:04 PM, Jakob Bohm wrote: > > Could you please point out where in certdata.txt the following are > expressed, as I couldn't find it in a quick scan: > > 1. The date restrictions on WoSign-issued certificates. > > 2. The EV trust bit for some CAs. >
Not the OP, but WoSign restrictions are hardcoded: https://dxr.mozilla.org/mozilla-aurora/source/security/certverifier/NSSCertDBTrustDomain.cpp#741 EV OIDs live in PSM, and are hardcoded into the browser: https://dxr.mozilla.org/mozilla-aurora/source/security/certverifier/ExtendedValidation.cpp At least in the case of EV though, I'm not sure if anything beside the browser itself actually cares EV vs. DV (or OV) in practice though. Michael _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy