Thanks Alex. Greatly appreciated.

From: Alex Gaynor []
Sent: Thursday, April 27, 2017 2:05 PM
To: Jeremy Rowley <>
Cc: Rob Stradling <>; mozilla-dev-security-policy 
Subject: Re: Symantec Conclusions and Next Steps

On Thu, Apr 27, 2017 at 3:52 PM, Jeremy Rowley via dev-security-policy 
<> > wrote:

Your post made me realize that we never publicly posted the status of these
last few CAs. Sorry about that.  Here's the plan:

1. ABB - ABB was supposed to be technically constrained (and is restricted
to certain names). However, the technical constraints were added incorrectly
and didn't exclude IPv6.  We're working with them to update the intermediate
with a properly constrained sub CA.

2. Bechtel - The Bechtel intermediates are scheduled for revocation the last
day of April.

3. Nets Norway - This intermediate lacked an EKU but was constrained to
certain domain names under Nets Norway's control. Nets Norway is no longer
using the intermediate but would like to leave the intermediate active until
the certs expire. I'm not sure what to do on this one. Any thoughts?

To save everyone else 3 minutes of search, the oldest cert that I saw 
under this intermediate was November 2019.


4. Belgium Roots - The Belgium roots have audits now. We are waiting on the
audit report publication to change the status. The reports were provided to
the browsers but aren't available publicly yet. The Belgium CAs only issue
client certificates.


-----Original Message-----
From: dev-security-policy
.org] On Behalf Of Rob Stradling via dev-security-policy
Sent: Thursday, April 27, 2017 4:38 AM
To: mozilla-dev-security-policy
<> >
Subject: Re: Symantec Conclusions and Next Steps

On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote:
> (Note: A few of the non-Symantec entries currently listed by
> are false positives, I
> think.  It looks like Kathleen has marked some roots as "Removed" on
> CCADB ahead of the corresponding certdata.txt update on mozilla-central).

Ah, I take that back.  The March certdata.txt update did hit mozilla-central
on 11th April, but I missed an alert.  I've just pushed that update to is currently free of false
positives.  It shows that DigiCert, StartCom and Symantec are currently
out-of-compliance with Mozilla's disclosure requirement.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

dev-security-policy mailing list 

dev-security-policy mailing list 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to