On Fri, 5 May 2017 17:18:38 +0100 Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> On 05/05/17 17:09, Peter Bowen wrote: > > We know that the RAs could use different certificate profiles, as > > certificates they approved had varying issuers, and "Issuer DN" has > > the same "No(1)" that CP has in the table in the doc you linked. I > > don't see any indication of what profiles each RA was allowed to > > use. It could be that Symantec provided one or more profiles to the > > RA that contained EV OIDs. > > So the question to Symantec is: "did any of the RAs in your program > have EV issuance capability? If not, given that they had issuance > capability from intermediates which chained up to EV-enabled roots, > what technical controls prevented them from having this capability?" > Is that right? It may be useful to note that Certsuperior, Certisur, Certisign, and Crosscert were all advertising EV certificates on their websites at some point in 2016: http://web.archive.org/web/20160428051833/https://www.certsuperior.com/SecureSiteProEV.aspx http://web.archive.org/web/20161114232112/https://www.certisur.com/soluciones/sitios-seguros http://web.archive.org/web/20161101111634/https://www.certisign.com.br/certificado-servidor/ssl-validacao-avancada http://web.archive.org/web/20161223000146/http://www.crosscert.com/ Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy