On Tue, May 09, 2017 at 04:51:12PM +0100, Gervase Markham via 
dev-security-policy wrote:
> Despite the fact that there appear to be
> numerous under-audited and unaudited publicly-trusted sub-CAs out there,
> and this fact has been known for weeks now, Symantec has not said
> anything about the situation to Mozilla, either publicly or privately.
> Would we find this acceptable in any other CA?

Do we somewhere have the official templates being used to send
reminders of the audit requirements? Kathleen posts a summary of
the email that got send, but I'm not sure if they contain more
text or if the text changes as the period gets longer.

>From the draft templates I could find, I suggest we skip the 
first one because it's about being late and there are no audit
reports here. The second template would file a removal bug and start
discussing it here.

Instead of the removal of the roots, I suggest we either ask them
to revoke all the intermediate CAs that do not have the required
audits or that Mozilla adds them to OneCRL.

Did someone try to make a list of all CA certificates that don't
have all the required audit requirements marked in the common CA
database, including other CAs? We really should do this for all
such cases.


dev-security-policy mailing list

Reply via email to