On Mon, Jul 06, 2020 at 10:53:50AM -0700, zxzxzx66669--- via dev-security-policy wrote: > Can't the affected CAs decide on their own whether to destroy the > intermediate CA private key now, or in case the affected intermediate CA > private key is later compromised, revoke the root CA instead?
No, because there's no reason to believe that a CA would follow through on their decision, and rapid removal of trust anchors (which is what "revoke the root CA" means in practice) has all sorts of unpleasant consequences anyway. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy