I think the issue or concern on Blue Coat's intermediate CA certificate is irrelevant to "Symantec's policies and governance on its public CA operation". The concern is on Blue Coat's intermediate CA operation.
If it's allowed to continue operation, this intermediate CA certificate can generate any number of forge SSL certificates for any website. How can these certificates be differentiated in CT logs? Some exception treatment again? Secondly, the risk of MITM to internet users will all depend on where Blue Cost is deployed. If it is deployed in country-wide internet gateway, all internet users of the country will be at risk. I'd say "Wow, what a mess to the CA ecosystem!" On 6/15/2016 12:02 PM, [email protected] wrote: > The integrity of Symantec’s public certification authority will not be > impacted as a result of the Blue Coat acquisition. Until the acquisition > is complete, Symantec and Blue Coat will continue to operate as two > separate companies. Once the transaction is complete, Symantec’s public CA > infrastructure and capabilities will continue to remain separate and > independent from Blue Coat’s technology and products. In addition, > policies and governance will be established to ensure the public CA > operations will not be used to facilitate packet inspection in the Blue > Coat offerings that will become a part of Symantec’s portfolio. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
