Suppose the following sequence of events happen: 1: A CA uses a new intermediate for reasons (no longer cross-signing, etc.) 2: A site gets a certificate from the new intermediate. 3: An older firefox version connects and thinks it knows all the certificates in the world.
This would seem to break and it wasn't clear to me how this would be handled. Though as Martin points out this extension is merely codification of an occasional practice, so maybe this case does actually work out. Sincerely, Watson Ladd
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
