On Wed, Apr 10, 2019 at 08:55:27AM +0200, Lijun Liao via dev-security-policy wrote: > Let us consider the case that the CA unsets the critical flag unintendedly, > e.g. using the default configuration. Which means there are no explizit > reasons. Is it required that the CA to create an incident report to mozilla?
My expectation would be "yes", as the CA has failed to adhere to RFC5280. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy