Are CAs really not monitoring issuance of certs by their sub-CAs for simple violations like this? Does this not violate a Mozilla or CAB Forum policy? Should it?
On Mon, Feb 1, 2016 at 1:41 PM, Jeremy Rowley <[email protected]> wrote: > Same with DigiCert. This is a sub CA issued by Verizon. We've reached out > to the customer to investigate why they had the issue and what they are > doing to remediate. We will provide details once we receive them. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley > [email protected] > .org] On Behalf Of Rick Andrews > Sent: Monday, February 1, 2016 11:34 AM > To: [email protected] > Subject: Re: More SHA-1 certs > > On Sunday, January 31, 2016 at 9:47:53 AM UTC-8, Peter Bowen wrote: > > These are all in the last week > > > > Sub-CA under SHECA (which has applied to be in the Mozilla program) > > https://crt.sh/?id=12367776&opt=cablint > > > > Sub-CA under DigiCert > > https://crt.sh/?id=12460684&opt=cablint > > > > Sub-CA under Symantec > > https://crt.sh/?id=12456194&opt=cablint > > https://crt.sh/?id=12434313&opt=cablint > > The Sub-CA under Symantec is managed by one of our customers. We've reached > out to them and we're investigating. More detail to follow. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
