If you added them automatically to OneCRL, how would you create new intermediates? Would it be anything over X days old and undisclosed is automatically added? If so, +1 from us. I'm pretty sure the two CAs listed from the Baltimore root don't believe these are publicly trusted intermediates.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Gervase Markham via dev-security-policy Sent: Thursday, June 8, 2017 3:17 AM To: Jonathan Rudenberg <jonat...@titanous.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: New undisclosed intermediates On 08/06/17 00:42, Jonathan Rudenberg wrote: > Yet another batch of undisclosed intermediates has shown up in CT: Like, seriously? Every CA in our program indicated that they would disclose all their intermediates by June 30th, 2016: https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesO nlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00004 I don't really want to switch to an intermediate whitelist because that requires coding. My patience is expiring. What CA can't keep track of the intermediates it issues? How hard is that, really? What downsides would there be, other than the obvious "some sites might break", to us just adding any such intermediate certs directly to OneCRL? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy