On 2017-07-11 15:56, Nick Lamb wrote:
On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:>
So at least some of them have been notified more than 3 months ago, and
a bug was filed a month later. I think you already gave them too much
time to at least respond to it, and suggest that you sent a new email
indicating that if they don't respond immediately that they will get
added to OneCRL.
Agreed. It may also make sense to add telemetry that allows Mozilla to
determine whether listing such subCAs in the OneCRL are ever actually blocking
anything. This makes a difference in my opinion as to the severity of the
breach of policy by the CA in question.
I don't know if this currently happens, but I would like to see all CA
certificates that are in OneCRL but are not revoked to be added to the
root store as distrusted too.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy