It’s certainly possible to address post-facto, but I’m not sure this really rises to reasonable to have expected ahead of time. Hopefully with the revisions to blacklisted keys, CAs will find it easy to add this SPKI hash, based on this thread, although certainly 4.9.1.1 of the BRs provides sufficient protection.
It’s good to see there were only two certs affected. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGkXhfmJwrkB-qhYUFjE0Kx%2BXM0pAyoprpWhO2Pkf%2B_Vg%40mail.gmail.com.
