Issue L: Cross-Signing the US Federal Bridge (February 2011 - July 2016)

Symantec, as well as VeriSign, has participated in the FPKI since 2006, and we 
take our responsibility as a participant of this program very seriously. When 
Symantec began participating in FPKI, FPKI rules required two-way 
cross-certification in a networked PKI model. In addition, FPKI rules mandated 
multiple assurance levels, which we mapped to our Class 1, Class 2 and Class 3 
roots. Class 3 roots are the only ones that have ever been enabled for TLS 
server certificate issuance.

In February 2016, Eric Mill prompted discussions with Symantec and the 
community about why the cross-certification resulted in some FPKI certs being 
trusted in browsers at That 
discussion highlighted that browsers didn't process certificate policy 
extensions content during path building, while FPKI made extensive use of 
policy processing. We had already engaged with FPKI personnel to address this 
concern, and further engaged to determine if one-way cross-certification from 
FPKI to Symantec was sufficient, such that we could remove the 
cross-certification from Symantec to FPKI. On July 5, 2016,  FPKI notified 
Symantec that the cross-certificate, which was set to expire July 31, 2016, 
would not be required.

Because we have a responsibility to our customers to ensure their businesses 
remain uninterrupted, we knew that communication and giving them adequate time 
to adjust to the unscheduled change in trust was critical. In order to effect 
minimal disruption, we allowed the cross-certificate to expire on July 31, 
2016, rather than revoking it sooner.
dev-security-policy mailing list

Reply via email to