On Friday, 4 August 2017 03:16:45 UTC+2, Matt Palmer wrote: > On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via > dev-security-policy wrote: > > However, I think it is fine for Certinomis to cross-sign with new StartCom > > subCA certs, as long as Certinomis ensures that Mozilla's Root Store > > Policy is being followed. > > ... which they didn't. So there's that.
Exactly. I don't understand why this discussion seems to be about StartCom. Until they re-apply for the root program they have no direct obligation to conform to anything anymore. They may have to answer to Certinomis, depending on what was agreed with respect to the cross-signing. But that is really only relevant to Certinomis and StartCom themselves. Certinomis however, does have a root in Mozilla's root program and as such has to answer for any misissuance chaining up to their root certificate(s). In my opinion it would make more sense for Certinomis to decide that they'd better revoke their cross-signings than for Mozzilla to add them to OneCRL. Or am I missing something here? CU Hans _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy