But Censys lists it as a trusted intermediate chaining to a root ( ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa ) in NSS:
https://censys.io/certificates/b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca/validation With respect to Gerv's question: given the ample time to disclose intermediates, and given all CAs in the program indicated that they had, seems reasonable to immediately add undisclosed ones that are discovered to OneCRL. Other than some breakage, as already noted, main downside would seem to be potentially large growth in OneCRL. On Thursday, June 8, 2017 at 7:58:51 AM UTC-4, Kurt Roeckx wrote: > On 2017-06-08 13:31, richmoor...@gmail.com wrote: > > This one is interesting since the domain name of the CRL resolves to an RFC > > 1918 IP address. Surely that is a violation of the baseline requirements. > > > > https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca > > That seems to be a root CA. It does not mention any CRL. I don't expect > a root CA to have a CRL. I'm not sure from where crt.sh is getting the > CRL URL. > > > Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy