On Thu, Apr 27, 2017 at 3:52 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Your post made me realize that we never publicly posted the status of these > last few CAs. Sorry about that. Here's the plan: > > 1. ABB - ABB was supposed to be technically constrained (and is restricted > to certain names). However, the technical constraints were added > incorrectly > and didn't exclude IPv6. We're working with them to update the > intermediate > with a properly constrained sub CA. > > 2. Bechtel - The Bechtel intermediates are scheduled for revocation the > last > day of April. > > 3. Nets Norway - This intermediate lacked an EKU but was constrained to > certain domain names under Nets Norway's control. Nets Norway is no longer > using the intermediate but would like to leave the intermediate active > until > the certs expire. I'm not sure what to do on this one. Any thoughts? > > To save everyone else 3 minutes of search crt.sh, the oldest cert that I saw under this intermediate was November 2019. Alex > 4. Belgium Roots - The Belgium roots have audits now. We are waiting on the > audit report publication to change the status. The reports were provided to > the browsers but aren't available publicly yet. The Belgium CAs only issue > client certificates. > > Jeremy > > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley= > digicert.com@lists.mozilla > .org] On Behalf Of Rob Stradling via dev-security-policy > Sent: Thursday, April 27, 2017 4:38 AM > To: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Symantec Conclusions and Next Steps > > On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote: > <snip> > > (Note: A few of the non-Symantec entries currently listed by > > https://crt.sh/mozilla-disclosures#undisclosed are false positives, I > > think. It looks like Kathleen has marked some roots as "Removed" on > > CCADB ahead of the corresponding certdata.txt update on mozilla-central). > > Ah, I take that back. The March certdata.txt update did hit > mozilla-central > on 11th April, but I missed an alert. I've just pushed that update to > crt.sh. > > https://crt.sh/mozilla-disclosures#undisclosed is currently free of false > positives. It shows that DigiCert, StartCom and Symantec are currently > out-of-compliance with Mozilla's disclosure requirement. > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy