thanks for the suggestions. We are exploring the OCSP and CRL checks. It has potential.
As to getting certs from a different root, that wouldn't help us. We have no Technical reason to keep underscored certs and are happy to get rid of them, it is simply the effort required and the timeline given that are an issue. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy