On Fri, Apr 21, 2017 at 6:16 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I've updated the Issues list: > https://wiki.mozilla.org/CA:Symantec_Issues > with the latest information. 3 issues have been marked as STRUCK due to > lack of evidence of anything actually being wrong - including, > importantly, the suggestion that they have unaudited unconstrained > intermediates (further audits have been published). > Gerv, I would encourage you to talk to Kathleen before considering that matter resolved, because it is different than the advice and requirements that have been given to other CAs, and to the work required of them. For example, as you know, Mozilla required that the Belgian subordinates previously under the Verizon brands, now under Digicert, under go a BR audit to attest that no SSL certificates have been issued. This is not the only CA, but it was merely the most recent for which such a requirement was made - of both the sub-CA and the parent CA. The conclusion to strike this would thus be be an inconsistent application of Mozilla policy. I believe you're on some of those threads. The audits provided are also not consistent with the Mozilla Root Program requirements, which define technical capability of issuance and the appropriate audit standards. Specifically, section 5.3 of the policy appears to provide unambiguous clarification that the audit scheme used for these sub-CAs, and their sub-CAs, is not consistent with Mozilla policy, and this non-consistency has been made clear to other CAs with a requirement for remediation or revocation. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
