In order for Symantec to reveal anybody's private keys they'd first need to 
have those keys, which is already, IIRC forbidden in the BRs. So even proof 
that Symantec routinely had these keys is a big deal. The whole reason things 
like CSR signing exist is that public CAs have no reason to know anybody's 
private key, the clue is in the name.

Beyond that I'll note that anybody reading Raymond Chen for a few weeks will 
learn that not every researcher who thinks they just found a smoking gun turns 
out to know what a gun actually is, nor sometimes what constitutes smoke. So, 
evidence is what we need. Neither holes in Symantec security nor overclaims 
from a person who misunderstood what they were seeing are unlikely.
dev-security-policy mailing list

Reply via email to