In the case of CrossCert, where we have evidence of failure to properly document their work, we are NOT relying on their previous work and have begun fully revalidating all active certificates. In the cases of the other 3 RAs, our focus is reviewing all of the work previously done to verify that it can, in fact, be relied upon and/or determine where full revalidation, without relying on the prior work of the RA, is warranted, if at all.
> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of Ryan > Sleevi via dev-security-policy > Sent: Wednesday, March 08, 2017 11:37 AM > To: Gervase Markham <g...@mozilla.org> > Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: Symantec: Next Steps > > > I highlight this, because at least one of these DTPs failed to maintain > sufficient audit logs, and Symantec has stated it plans to continue using this > information - information improperly secured, improperly maintained, and > with improper access controls - for the issuance of certificates. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
