according to this: https://test4.fpki.18f.gov/ https://github.com/18F/fpki-testing
Symantec is the second cross-signer of the Federal Bridge, with a root CA that was supposed to be dormant according to the description here: https://www.symantec.com/theme/roots Root 10 VeriSign Universal Root CA Description: While this root is not being used today for Symantec's commercial certificate offerings, it is a SHA-256 root that will be used in the future to as the root of Trust for Class1, 2 and 3 certificates SHA-256 certificates and should be included in root stores. Country = US Organization = VeriSign, Inc. Organizational Unit = VeriSign Trust Network Organizational Unit = (c) 2008 VeriSign, Inc. - For authorized use only Common Name = VeriSign Universal Root Certification Authority Serial Number: 40 1a c4 64 21 b3 13 21 03 0e bb e4 12 1a c5 1d signed a certificate for a Sub-CA: Serial number= 31:6C:EB:69:1D:CB:2E:15:3D:9B:FA:8A:12:1B:D5:2D CN = VeriSign Class 3 SSP Intermediate CA - G2 OU = VeriSign Trust Network O = "VeriSign, Inc." C = US which in turn signed the Federal Bridge: serial number= 10:81:BD:A3:47:84:D0:BB:C1:D4:D1:27:83:48:C5:FA issuer: CN = VeriSign Class 3 SSP Intermediate CA - G2 OU = VeriSign Trust Network O = "VeriSign, Inc." C = US subject: CN = Federal Bridge CA 2013 OU = FPKI O = U.S. Government C = US ~~~~ Adrian R. On Friday, 24 June 2016 00:35:33 UTC+3, Peter Bowen wrote: > DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs. > > I'm sure Ben will tell me I have my terminology wrong, but DigiCert > basically operates two PKIs: > - DigiCert Public WebPKI > - DigiCert Shared FederatedPKI > > The first is a set of CAs that are in the Mozilla program and CAs > signed by the Mozilla program. The second is a set of CAs that are > signed by the US Federal PKI; they are not in the Mozilla program. > > The problem is that some non-DigiCert CA int he Mozilla program signed > the US Federal PKI. The DigiCert Shared FederatedPKI is now brought in > via that signature, with which they had nothing to do. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
