On Thu, Apr 21, 2016 at 8:00 PM, Rick Andrews <[email protected]> wrote:
> On Wednesday, April 20, 2016 at 12:47:58 PM UTC-7, Charles Reiss wrote: > > On 04/13/16 23:12, Kathleen Wilson wrote: > > > Request to enable EV for VeriSign Class 3 G4 ECC root > > > > > > This request by Symantec is to enable EV treatment for the "VeriSign > > > Class 3 Public Primary Certification Authority - G4" root certificate > > > that was included via bug #409235, and has all three trust bits > > > enabled. Symantec is a major commercial CA with worldwide operations > > > and customer base. > > > > > > The request is documented in the following bug: > > > https://bugzilla.mozilla.org/show_bug.cgi?id=833974 > > > > > > And in the pending certificates list: > > > https://wiki.mozilla.org/CA:PendingCAs > > > > > > Summary of Information Gathered and Verified: > > > https://bugzilla.mozilla.org/attachment.cgi?id=8734043 > > > > > > Noteworthy points: > > > > > > * The primary documents are the CP and CPS, which are provided in > > > English. > > > > > > Document Repository: > > > https://www.symantec.com/about/profile/policies/repository.jsp > > > CP: > > > > https://www.symantec.com/content/en/us/about/media/repository/stn-cp.pdf > > > CPS: > > > https://www.symantec.com/content/en/us/about/media/repository/stn-cps.pdf > > > > > > * CA Hierarchy: This root signs internally-operated SubCAs which > > > issue OV and EV SSL certificates, as well as Code Signing > > > certificates. S/MIME certs may also be issued in this CA hierarchy. > > > > "Symantec AATL ECC Intermediate CA" is an unconstrained subCA > > (https://crt.sh/?caid=13519) of this > > root, albeit one with a certificate policy OID that should prohibit it > > from receiving EV treatment: > > - Why was this subCA not included in the disclosure attached to > > https://bugzilla.mozilla.org/show_bug.cgi?id=1019864 ? > > - Where and since when was this subCA disclosed in compliance with > > Mozilla's policies? > > - What CP/CPSes apply to this subCA? > > - Presumably this subCA is not meant to be used for TLS server > > certificates, so why is it not technically constrained from doing so? > > Symantec AATL ECC Intermediate CA was never intended for issuing SSL/TLS > certificates. It has never been used and will not be used in the future for > SSL/TLS. As such, it hasn't been disclosed to date. That is not the criterion, Rick. The criterion is "capable of being used to issue new certificates": """ All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with Mozilla’s CA Certificate Policy <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> and MUST either be *technically constrained* or be *publicly disclosed and audited.* """ So until that CA is constrained, disclosed+audited, or revoked, the G4 root is out of compliance with Mozilla's policy. If you have any more of these around, please make sure include them in your upcoming disclosures. --Richard > We are planning to revoke the Symantec AATL ECC Intermediate CA and > provide it along with the "Revoked" list of ICAs to Mozilla in the coming > month. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
