Hi Steve, Quick questions:
1) To confirm, your response states nothing about any improved procedures or testing put into place regarding this. a) Can you describe what, if anything, Symantec did, beside "fix the bug"? b) What assurances should the community have regarding Symantec's committment to proactively identify bugs versus reactively respond to them, on the basis of this disclosure? 2) Symantec did not disclose the number of certificates affected. That is, the response states "exploitation" or "adverse impact", but that's based on Symantec's judgement. a) How many certificates were affected? b) What steps did Symantec take regarding such certificates? c) Did you revoke them, pursuant to Baseline Requirements, Section 4.9.1.1, Items 4 and 9? d) If not, why not? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
