Frank Hecker wrote: > For the record, I am pretty sure that we have CAs already in the root > list that have issued test certs under their hierarchies. IIRC the last > instance of this I saw was a CA that had a subordinate CA used to > testing purposes, under the root CA that we include. (But as you note, > for our purposes a test certificate issued directly from a root CA is > equivalent to a test certificate issued from a subordinate CA under that > root. In both cases the test cert would be recognized as valid if the > root CA cert were recognized as valid.)
Please elaborate. What CA did that? Is the subordinate CA that did so still valid (unexpired)? I know of one CA that did so at one time, but the subordinate CA has expired and the CA that issued it refused to renew it, because it had been misused in this way. IMO, this is a serious enough breach that it warrants calling for the removal of the CA that did it. If the subordinate CA is still valid and is not revoked, this calls for drastic action. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
