I have to agree with Andrew. Continuing to trust this root and the integrity of "notBefore" on the certs it issues seems like it adds risk to Firefox and Thunderbird users without basically any value to the world. If those certificates have their key material leak, do we have any reason to believe that ECM will actually spring to life and help the subscribers? I cannot think of such a reason.
IMO we should excise it cleanly, and let Mozilla's users deal with the fact that they can't access those handful of sites--if indeed they ever ever notice. Mike On Tue, 11 Jun 2024 at 15:55, Andrew Ayer <a...@andrewayer.name> wrote: > On Tue, 11 Jun 2024 13:11:16 -0400 > Andrew Ayer <a...@andrewayer.name> wrote: > > > If we exclude ECM's own domains, this drops down to just 36 distinct > > DNS names. > > Further analysis: of the 36 DNS names, > > 18 are serving a non-ECM certificate on port 443 > 9 are serving an ECM certificate on port 443 > 6 did not respond on port 443 > 3 are wildcard DNS names > > Regards, > Andrew > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240611155511.4871da6bf1be264046b9d62d%40andrewayer.name > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqtGrcXh62%3DFWZU3-X28jWAkW6EkR8W7yCXKyzPvYM4ePQ%40mail.gmail.com.