On Tue, Apr 11, 2017 at 12:53 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > "to specifically address the > > GeoRoot audit status and remediation plan" - this was not reflected > within > > https://www.symantec.com/content/en/us/about/media/ > repository/23_Symantec_GeoTrust_WTBR_period_end_11-30-2016.pdf > > , the relevant audit for the roots, ending on 2016-11-30. > > I'm a little confused - I think Symantec are saying that the cover > letter explains the plan to wind down the two sub-CAs, not that the > audit does? I believe you are correct that they are claiming the letter sent addresses that. I am highlighting, however, that such a statement was not recorded in their audit, despite it being a violation of the Baseline Requirements during the period of time in the audit. That is, if you are accepting that such a letter is relevant to the discussion (and I believe it's fair to consider it as part of that), then you should also consider as relevant to the conversation the failure to either disclose that to the auditors or for the auditors to note that (whichever it may be). _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
