On Wed, Jul 12, 2017 at 6:03 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 2017-07-11 15:56, Nick Lamb wrote: > >> On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> >> >>> So at least some of them have been notified more than 3 months ago, and >>> a bug was filed a month later. I think you already gave them too much >>> time to at least respond to it, and suggest that you sent a new email >>> indicating that if they don't respond immediately that they will get >>> added to OneCRL. >>> >> >> Agreed. It may also make sense to add telemetry that allows Mozilla to >> determine whether listing such subCAs in the OneCRL are ever actually >> blocking anything. This makes a difference in my opinion as to the >> severity of the breach of policy by the CA in question. >> > > I don't know if this currently happens, but I would like to see all CA > certificates that are in OneCRL but are not revoked to be added to the root > store as distrusted too. > Why? I can share reasons why it might not be desirable, but rather than start out negatively, I was hoping you could expand upon the reasons for including. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
