> -----Original Message-----
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Thursday, April 13, 2017 9:13 AM
> To: Steve Medin <steve_me...@symantec.com>; Rick Andrews
> <rick_andr...@symantec.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: [EXT] Re: Questions for Symantec
> On 03/04/17 13:11, Gervase Markham wrote:
> > Hi Steve and Rick,
> Q9) Can you please tell us which audit covers the following two intermediate
> CAs, which are subordinates of or cross-certified by VeriSign Universal Root
> Certification Authority?

These Intermediate CAs are sub-CAs under the Verisign Universal Root CA. They 
are covered under Symantec’s Non-Fed SSP audits, and the latest unqualified 
audits that we just received are being published.

The customer-specific CAs (the subordinate ICAs) signed by these sub-CAs are 
path length constrained and operate fully within Symantec’s infrastructure. 
Under the Non-Federal SSP program, they are used to issue certificates for 
Microsoft Windows domain controllers and IPSec endpoints. End entity 
certificates issued under this program are designed only to contain Federal PKI 
policy OIDs and to exclude any CA/B Forum required policy OIDs.

dev-security-policy mailing list

Reply via email to