Mozilla's wiki has a page about the subCAs https://wiki.mozilla.org/CA/Intermediate_Certificates
On that page I see a link labelled: "Non-revoked, non-expired Intermediate CA Certificates chaining up to roots in Mozilla's program with the Websites trust bit set" And clicking that link produces a CSV file. Fine so far. I anticipated that this CSV file would be a set of subCA certs which were trusted by Firefox to issue leaf TLS certs, since on the face of it that's what the title claims. But, that seems to be wrong, for example the file includes "Symantec Shared Individual Email Certificate Authority" https://crt.sh/?id=197857126 which as its name suggests does not have the Websites trust bit set So. What's actually going on here? Is there a trick that I'm not understanding to processing this file? Why are there certs in it that actually aren't for trusted subCAs at all? Is the link wrong? What is the recommended procedure for someone who wants to determine whether a random leaf cert they're looking at would in fact be trusted in Firefox? Other than "try it in Firefox" ? Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy