On Tue, May 09, 2017 at 04:51:12PM +0100, Gervase Markham via dev-security-policy wrote: > Despite the fact that there appear to be > numerous under-audited and unaudited publicly-trusted sub-CAs out there, > and this fact has been known for weeks now, Symantec has not said > anything about the situation to Mozilla, either publicly or privately. > Would we find this acceptable in any other CA?
Do we somewhere have the official templates being used to send reminders of the audit requirements? Kathleen posts a summary of the email that got send, but I'm not sure if they contain more text or if the text changes as the period gets longer. >From the draft templates I could find, I suggest we skip the first one because it's about being late and there are no audit reports here. The second template would file a removal bug and start discussing it here. Instead of the removal of the roots, I suggest we either ask them to revoke all the intermediate CAs that do not have the required audits or that Mozilla adds them to OneCRL. Did someone try to make a list of all CA certificates that don't have all the required audit requirements marked in the common CA database, including other CAs? We really should do this for all such cases. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy