Hi Kathleen, The WT/BR audit covering this root is at https://www.symantec.com/content/en/us/about/media/repository/Symantec-Thawte-WTBR-2015.pdf. You'll find it listed as the fourth entry in the left column on page 6.
Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of Kathleen Wilson Sent: Monday, July 18, 2016 7:26 PM To: [email protected] Subject: Re: Request to enable EV for VeriSign Class 3 G4 ECC root On 5/18/16 2:51 PM, Kathleen Wilson wrote: > Here is a summary of this discussion so far about Symantec's request to > enable EV treatment for the "VeriSign Class 3 Public Primary Certification > Authority - G4" root certificate that was included via bug #409235, and has > all three trust bits enabled. > > 1) The "Symantec AATL ECC Intermediate CA" needs to be revoked and added to > OneCRL. The intermediate cert has been added to Salesforce. > I'm assuming we may proceed with this request, as long as the cert is added > to OneCRL before EV treatment is actually enabled in a Firefox release. It’s been revoked. https://bugzilla.mozilla.org/show_bug.cgi?id=1287592 > 2) Questions were raised about wildcard certs in regards to the BRs. But it > sounds like for now Symantec's use of wildcard certs is not breaking any BRs. > Question for Symantec: Are any of the issued wildcard certs EV? Symantec responded to say that they have not issued EV wildcard certs.' > 3) Question raised: What technical controls are in place to ensure that > systems which issue S/MIME certs "in this CA hierarchy" are not capable of > issuing an SSL server certificate? > Answer from Symantec: We have a technical control in place for systems that > issue S/MIME certs in this CA hierarchy. Our systems use static cert > templates from which end-entity certs are issued. Those templates include an > EKU value, but do not use the serverAuth or anyExtendedKeyUsage values. Symantec's further responses: We will be stopping SHA1 ICA usage by the end of 2016 for SMIME. We plan to use a new ICA that has a compliant EKU to issue SMIME certificates by the end of 2016. For SHA-1 signed S/MIME certificates, the serial number is a 128-bit random number, which makes the certificate contents unpredictable. > 4) Intermediate certificates for this root have been loaded into Salesforce, > and are available at the following links: > https://wiki.mozilla.org/CA:SubordinateCAcerts and https://wiki.mozilla.org/CA:RevokedSubCAcerts I believe that all of the questions/concerns raised during this discussion have been resolved. So I am about ready to wrap up this discussion and recommend approval of this request. However, I am not finding the current WTBR audit statement for this root certificate. I am finding the other Symantec audit statements in the "Roots & Audit Reports" tab of https://www.symantec.com/about/legal/repository.jsp And I have exchanged email with the auditor to confirm the authenticity of the audit statements. Sanjay, Please let me know which of the audit statements on the website contain the WTBR audit statement covering this root certificate. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
