On Friday, April 22, 2016 at 6:41:46 AM UTC-7, Richard Barnes wrote: > That is not the criterion, Rick. The criterion is "capable of being used > to issue new certificates": > > """ > All certificates that are capable of being used to issue new certificates, > and which directly or transitively chain to a certificate included in > Mozilla's CA Certificate Program, MUST be operated in accordance with > Mozilla's > CA Certificate Policy > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> > and MUST either be *technically constrained* or be *publicly disclosed and > audited.* > """ > > So until that CA is constrained, disclosed+audited, or revoked, the G4 root > is out of compliance with Mozilla's policy. If you have any more of these > around, please make sure include them in your upcoming disclosures. > > --Richard > > > > > We are planning to revoke the Symantec AATL ECC Intermediate CA and > > provide it along with the "Revoked" list of ICAs to Mozilla in the coming > > month. > > _______________________________________________ > > dev-security-policy mailing list > >
It was an oversight. We'll disclose it in SalesForce today. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
