On 05/05/17 17:09, Peter Bowen wrote: > We know that the RAs could use different certificate profiles, as > certificates they approved had varying issuers, and "Issuer DN" has > the same "No(1)" that CP has in the table in the doc you linked. I > don't see any indication of what profiles each RA was allowed to use. > It could be that Symantec provided one or more profiles to the RA that > contained EV OIDs.
So the question to Symantec is: "did any of the RAs in your program have EV issuance capability? If not, given that they had issuance capability from intermediates which chained up to EV-enabled roots, what technical controls prevented them from having this capability?" Is that right? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy