On Wednesday, April 20, 2016 at 12:47:58 PM UTC-7, Charles Reiss wrote: > On 04/13/16 23:12, Kathleen Wilson wrote: > > Request to enable EV for VeriSign Class 3 G4 ECC root > > > > This request by Symantec is to enable EV treatment for the "VeriSign > > Class 3 Public Primary Certification Authority - G4" root certificate > > that was included via bug #409235, and has all three trust bits > > enabled. Symantec is a major commercial CA with worldwide operations > > and customer base. > > > > The request is documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=833974 > > > > And in the pending certificates list: > > https://wiki.mozilla.org/CA:PendingCAs > > > > Summary of Information Gathered and Verified: > > https://bugzilla.mozilla.org/attachment.cgi?id=8734043 > > > > Noteworthy points: > > > > * The primary documents are the CP and CPS, which are provided in > > English. > > > > Document Repository: > > https://www.symantec.com/about/profile/policies/repository.jsp > > CP: > > https://www.symantec.com/content/en/us/about/media/repository/stn-cp.pdf > > CPS: > https://www.symantec.com/content/en/us/about/media/repository/stn-cps.pdf > > > > * CA Hierarchy: This root signs internally-operated SubCAs which > > issue OV and EV SSL certificates, as well as Code Signing > > certificates. S/MIME certs may also be issued in this CA hierarchy. > > "Symantec AATL ECC Intermediate CA" is an unconstrained subCA > (https://crt.sh/?caid=13519) of this > root, albeit one with a certificate policy OID that should prohibit it > from receiving EV treatment: > - Why was this subCA not included in the disclosure attached to > https://bugzilla.mozilla.org/show_bug.cgi?id=1019864 ? > - Where and since when was this subCA disclosed in compliance with > Mozilla's policies? > - What CP/CPSes apply to this subCA? > - Presumably this subCA is not meant to be used for TLS server > certificates, so why is it not technically constrained from doing so?
Symantec AATL ECC Intermediate CA was never intended for issuing SSL/TLS certificates. It has never been used and will not be used in the future for SSL/TLS. As such, it hasn't been disclosed to date. We are planning to revoke the Symantec AATL ECC Intermediate CA and provide it along with the "Revoked" list of ICAs to Mozilla in the coming month. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
