Is there any update on

I'm just wanting to understand how this relates to Mozilla's PKI policy and
expectations, and better understand why you struck it.

- The CP/CPS does not state adherence to the Baseline Requirements.
- The audit was only to "WebTrust Principles and Criteria for CAs v2.0" -
e.g. not BRs
- Seemingly excluded from scope of the audits are the following, for , on the basis of
Footnote 1 in

Of critical relevance:
- If you examine the CPS that was audited,,
it notes in Appendix A.5 that the profile includes issuing certificates
with dNSName and iPAddress SANs, with the anyExtendedKeyUsage (or the
presence of more specific EKUs)

- If you examine Symantec's statements on this matter in ,  they stated
"Under the Non-Federal SSP program, they are used to issue certificates for
Microsoft Windows domain controllers and IPSec endpoints." . A Windows
Domain controller requires that it have id-kp-serverAuth, with a dNSName

Thus, there is every indication that Symantec has issued certificates used
for SSL/TLS under these intermediates and failed to maintain the
appropriate audits, as required by Mozilla Policy.

Perhaps it might be useful to clarify, given that DigiCert and Verizon
have, since January, been operating under a different set of advice from
Mozilla: For a CA not "intended" to issue SSL/TLS certificates, but is
technically capable of doing so, and merely has not, what audits does
Mozilla expect around this? Further, does Mozilla expect a sampling audit
of 3% or a full audit of 100% with respect to whatever attestations are
made regarding the non-issuance of TLS certificates?

For your reference, this was , and you can find the
thread titled "RE: Audit of Belgian subordinates" dated Jan 6 to several of
the CA peers, including yourself.
dev-security-policy mailing list

Reply via email to