This seems like a very reasonable stance for Mozilla to take: strongly 
encourage a new Symantec PKI so they start with a clean slate, otherwise staged 
distrust of all existing certificates with the requirement that Symantec 
produce a full document/diagram of how the components of their PKI are 
connected so that the non-BR-compliant bits can be "chopped off" from trust via 

Given Symantec's propensity for responding right at deadlines, might I suggest 
that, should Symantec not choose to stand up a new PKI, that you set a 
reasonable deadline for the production of the document described above? Perhaps 
May 12th?

Also, in the responses, Symantec claims that MSC Trustgate is no longer an RA 
(but could be a reseller). I did a quick search on for recent 
certificates that have supplied by MSC Trustgate:

It looks to me like MSC is now a globalsign reseller (sure, why not). But one 
certificate stood out:

Going back to April 2013, this is the *only* "supplied by MSC trustgate" 
certificate in that chains off a Symantec root; all others are 
Globalsign. Can Symantec confirm that they vetted this (OV) certificate 
in-house? While I suppose MSC could supply certs from multiple CAs, I find it 
odd that everything in the logs since April 2013 is Globalsign except this one 
outlier -- and am concerned it means there was some mechanism for MSC to issue 
/ have issued a cert off a Symantec chain -- and this concerns me given the 
higher nominal level of validation.
dev-security-policy mailing list

Reply via email to