Comment 5 for bug 741528

Created attachment 519860
Bad certs (text dumps) zipped

According to mail from Comodo to the security alias "A long-term trusted partner of Comodo which has an RA function suffered an internal security breach and the attacker caused 7 certificates to be issued." The bogus certs were revoked within hours.

Unfortunately there are scenarios where the MITM can prevent the victim from contacting the OSCP responder and the certs will continue to be trusted. Given the high profile of the sites involved (including our own addons.mozilla.org) we should explicitly disable these certs if we can.

The CNs involved are
 addons.mozilla.org
 login.live.com
 mail.google.com
 www.google.com
 login.yahoo.com
 login.skype.com
 global trustee

Can they be added as untrusted to the built-in certificate store, or does that only work for signing certificates? Can we ship a CRL containing these certs?