On 04/13/16 23:12, Kathleen Wilson wrote: > Request to enable EV for VeriSign Class 3 G4 ECC root > > This request by Symantec is to enable EV treatment for the "VeriSign > Class 3 Public Primary Certification Authority - G4" root certificate > that was included via bug #409235, and has all three trust bits > enabled. Symantec is a major commercial CA with worldwide operations > and customer base. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=833974 > > And in the pending certificates list: > https://wiki.mozilla.org/CA:PendingCAs > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8734043 > > Noteworthy points: > > * The primary documents are the CP and CPS, which are provided in > English. > > Document Repository: > https://www.symantec.com/about/profile/policies/repository.jsp > CP: > https://www.symantec.com/content/en/us/about/media/repository/stn-cp.pdf > CPS: https://www.symantec.com/content/en/us/about/media/repository/stn-cps.pdf > > * CA Hierarchy: This root signs internally-operated SubCAs which > issue OV and EV SSL certificates, as well as Code Signing > certificates. S/MIME certs may also be issued in this CA hierarchy.
"Symantec AATL ECC Intermediate CA" is an unconstrained subCA (https://crt.sh/?caid=13519) of this root, albeit one with a certificate policy OID that should prohibit it from receiving EV treatment: - Why was this subCA not included in the disclosure attached to https://bugzilla.mozilla.org/show_bug.cgi?id=1019864 ? - Where and since when was this subCA disclosed in compliance with Mozilla's policies? - What CP/CPSes apply to this subCA? - Presumably this subCA is not meant to be used for TLS server certificates, so why is it not technically constrained from doing so? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
