The deadline for Symantec to submit comments passed yesterday; they chose to issue a large PDF[0] of responses just before the deadline, leaving no time for further discussion and clarification. That's their right, of course, but it may leave some places where we have to make assumptions.
I've updated the Issues list: https://wiki.mozilla.org/CA:Symantec_Issues with the latest information. 3 issues have been marked as STRUCK due to lack of evidence of anything actually being wrong - including, importantly, the suggestion that they have unaudited unconstrained intermediates (further audits have been published). I would assess the situation now as follows: Major: Issue D: Test Certificate Misissuance Issue L: Cross-Signing the US Federal Bridge Issue P: UniCredit Sub CA Failing To Follow BRs Issue T: CrossCert Misissuances Issue V: GeoRoot Program Audit Issues Issue W: RA Program Audit Issues Intermediate: Issue Q: Symantec Audit Issues 2016 Issue J: SHA-1 Issuance After Deadline, Again Minor: Issue B: Issuance of 1024-bit Certificate Expiring After Deadline Issue E: Domain Validation Vulnerability Issue H: SHA-1 Issuance After Deadline Issue N: Premature Manual Signing Using SHA-1 Informational: Issue F: Symantec Audit Issues 2015 Struck: Issue R: Insecure Issuance API Issue X: Incomplete RA Program Remediation Issue Y: Unaudited Unconstrained Intermediates Symantec have also written to Mozilla to say the following: "We have been working hard on a thorough and thoughtful proposal that responds to community questions and concerns regarding our compliance and issuance practices. In drafting this proposal, we’ve thoughtfully considered the feedback posted on the Mozilla forums along with comments on the Google forums and other community feedback. We’ve also solicited input from our customers who are the ones that would bear the impact of changes, whether as a result of our proposal or any other. We plan to send a proposal for Mozilla’s and the community’s consideration on Wednesday April 26th that addresses these important areas: * The Integrity of our EV Validation Process * Validity of Existing Certificates * Increased Transparency * Move to Shorter Validity Certificates * Continuous Improvement of our CA Operations" This date is in the middle of next week. We permitted WoSign to propose a remediation plan; I think it is reasonable to do the same for Symantec. So we will wait to hear what they have to say, and then discuss appropriate action in the light of it. Gerv [0] https://bug1334377.bmoattachments.org/attachment.cgi?id=8860216 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
