On Wednesday, May 18, 2016 at 2:58:54 PM UTC-7, Kathleen Wilson wrote: > Here is a summary of this discussion so far about Symantec's request to > enable EV treatment for the "VeriSign Class 3 Public Primary Certification > Authority - G4" root certificate that was included via bug #409235, and has > all three trust bits enabled. > > 1) The "Symantec AATL ECC Intermediate CA" needs to be revoked and added to > OneCRL. The intermediate cert has been added to Salesforce. > I'm assuming we may proceed with this request, as long as the cert is added > to OneCRL before EV treatment is actually enabled in a Firefox release.
It’s been revoked. > > 2) Questions were raised about wildcard certs in regards to the BRs. But it > sounds like for now Symantec's use of wildcard certs is not breaking any BRs. > Question for Symantec: Are any of the issued wildcard certs EV? No, we’ve have not issued an EV wildcard certificate. > > 3) Question raised: What technical controls are in place to ensure that > systems which issue S/MIME certs "in this CA hierarchy" are not capable of > issuing an SSL server certificate? > Answer from Symantec: We have a technical control in place for systems that > issue S/MIME certs in this CA hierarchy. Our systems use static cert > templates from which end-entity certs are issued. Those templates include an > EKU value, but do not use the serverAuth or anyExtendedKeyUsage values. > > 4) Intermediate certificates for this root have been loaded into Salesforce, > and are available at the following links: > https://wiki.mozilla.org/CA:SubordinateCAcerts > https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=Symantec%20/%20VeriSign > Symantec’s revoked intermediate certs have not yet been loaded into > Salesforce. > As per https://wiki.mozilla.org/CA:Communications#March_2016_Responses > Symantec plans to enter this data by June 30, 2016. Yes, the revoked intermediates have been added to Salesforce. > > This request is still under discussion, so please continue to provide your > input. > > Thanks, > Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
