Issue P: UniCredit Sub CA Failing To Follow BRs (April - October 2016)

We are committed to keeping our customers, partners and ecosystem informed and 
taking action when necessary.  We recognize that there are issues we are 
accountable for, such as our March 2016 CA Communication response indicating we 
had disclosed all subordinate CAs. The omission of UniCredit was an oversight, 
it should have been disclosed as part of this March 2016 response. However, we 
were taking appropriate actions to address the underlying compliance issues.

We worked with UniCredit over a long period of time to enforce their compliance 
with audit requirements. In July 2016, we received an assessment that did not 
meet WebTrust audit standards. We then took action, helping UniCredit 
transition to a managed PKI solution for their certificate needs that did not 
require an audit. In parallel, we notified them of termination of their 
subordinate CA.

Because our customers are our top priority, we attempted to minimize business 
disruption while they transitioned by permitting UniCredit to operate only its 
CRL service until November 30, 2016, at which point we would revoke the 
UniCredit subordinate CA. In October 2016, UniCredit issued one new certificate 
in violation of the terms of that transition plan. Following that, Symantec 
promptly revoked the UniCredit subordinate CA on October 18, 2016.
dev-security-policy mailing list

Reply via email to