Frank Hecker wrote: > I didn't quite say that, but I can understand why Kyle interpreted my > comments that way. What I have said in the past is that because of the > impact of removing a root, particular a root that has lots of server > certs chained up to it, we're not going to remove a root unless the > security threat is high enough to warrant it, and in practice we're > likely to set that bar pretty high.
It's worth pointing out that, whether you think it's fair or not, it's undeniably a reality that we would have far fewer worries about removing a root which supported 50 certs on the public web than one which supported 500,000. And it's also worth noting that most of the roots in the store are closer to the former category. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
