Here is a summary of this discussion so far about Symantec's request to enable EV treatment for the "VeriSign Class 3 Public Primary Certification Authority - G4" root certificate that was included via bug #409235, and has all three trust bits enabled.
1) The "Symantec AATL ECC Intermediate CA" needs to be revoked and added to OneCRL. The intermediate cert has been added to Salesforce. I'm assuming we may proceed with this request, as long as the cert is added to OneCRL before EV treatment is actually enabled in a Firefox release. 2) Questions were raised about wildcard certs in regards to the BRs. But it sounds like for now Symantec's use of wildcard certs is not breaking any BRs. Question for Symantec: Are any of the issued wildcard certs EV? 3) Question raised: What technical controls are in place to ensure that systems which issue S/MIME certs "in this CA hierarchy" are not capable of issuing an SSL server certificate? Answer from Symantec: We have a technical control in place for systems that issue S/MIME certs in this CA hierarchy. Our systems use static cert templates from which end-entity certs are issued. Those templates include an EKU value, but do not use the serverAuth or anyExtendedKeyUsage values. 4) Intermediate certificates for this root have been loaded into Salesforce, and are available at the following links: https://wiki.mozilla.org/CA:SubordinateCAcerts https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=Symantec%20/%20VeriSign Symantec’s revoked intermediate certs have not yet been loaded into Salesforce. As per https://wiki.mozilla.org/CA:Communications#March_2016_Responses Symantec plans to enter this data by June 30, 2016. This request is still under discussion, so please continue to provide your input. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy