Aug. 29, 2014
5:57 p.m.
On Fri, 29 Aug 2014 17:42:34 -0400 "R. David Murray" <rdmurray@bitdance.com> wrote:
Especially if you want an accelerated change, there must be a way to *easily* get back to the previous behavior, or we are going to catch a lot of flack. There may be only 7% of public certs that are problematic, but I'd be willing to bet you that there are more not-really-public ones that are critical to day to day operations *somewhere* :)
Actually, by construction, there are certs which will always fail verification, for example because they are embedded in telco equipments which don't have a predefined hostname or IP address. (I have encountered some of those) Regards Antoine.