Issue L: Cross-Signing the US Federal Bridge (February 2011 - July 2016) Symantec, as well as VeriSign, has participated in the FPKI since 2006, and we take our responsibility as a participant of this program very seriously. When Symantec began participating in FPKI, FPKI rules required two-way cross-certification in a networked PKI model. In addition, FPKI rules mandated multiple assurance levels, which we mapped to our Class 1, Class 2 and Class 3 roots. Class 3 roots are the only ones that have ever been enabled for TLS server certificate issuance.
In February 2016, Eric Mill prompted discussions with Symantec and the community about why the cross-certification resulted in some FPKI certs being trusted in browsers at https://github.com/18F/fpki-testing/issues/1. That discussion highlighted that browsers didn't process certificate policy extensions content during path building, while FPKI made extensive use of policy processing. We had already engaged with FPKI personnel to address this concern, and further engaged to determine if one-way cross-certification from FPKI to Symantec was sufficient, such that we could remove the cross-certification from Symantec to FPKI. On July 5, 2016, FPKI notified Symantec that the cross-certificate, which was set to expire July 31, 2016, would not be required. Because we have a responsibility to our customers to ensure their businesses remain uninterrupted, we knew that communication and giving them adequate time to adjust to the unscheduled change in trust was critical. In order to effect minimal disruption, we allowed the cross-certificate to expire on July 31, 2016, rather than revoking it sooner. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy