Hi Ryan, On 09/02/17 19:55, Ryan Hurst wrote: > - The EV OID associated with this permission is associated with GlobalSign > and not Google and,
Which EV OID are you referring to, precisely? > - GlobalSign is active member in good standing with the respective root > programs and, > - Google will not be issuing EV SSL certificates, > - Google will operate these roots under their own CP/CPS’s and associated > OIDs, > - Google issuing a certificate with the GlobalSign OIDs would qualify as > miss-issuance. > > That it would be acceptable for us not to undergo a EV SSL audit, > and that GlobalSign could keep the EV right for the associated subordinate > CA for the remaining validity period to facilitate the transition > (assuming continued compliance). Just to be clear: GlobalSign continues to operate at least one subCA under a root which Google has purchased, and that root is EV-enabled, and the sub-CA continues to do EV issuance (and is audited as such) but the root is no longer EV audited, and nor is the rest of the hierarchy? > When looking at this issue it is important to keep in mind Google has > operated a WebTrust audited subordinate CA under Symantec for quite a > long time. As part of this they have maintained audited facilities, > and procedures appropriate for offline key management, CRL/OCSP > generation, and other related activities. Based on this, and the > timing of both our audit, and key transfer all parties concluded it > would be sufficient to have the auditors provide an opinion letter > about the transfer of the keys and have those keys covered by the > subsequent annual audit. Can you tell us what the planned start/end dates for the audit period of that annual audit are/will be? Are the Google roots and/or the GlobalSign-acquired roots currently issuing EE certificates? Were they issuing certificates between 11th August 2016 and 8th December 2016? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
