On Tue, May 09, 2017 at 07:03:16PM +0200, Kurt Roeckx via dev-security-policy wrote: > > Instead of the removal of the roots, I suggest we either ask them > to revoke all the intermediate CAs that do not have the required > audits or that Mozilla adds them to OneCRL.
Just to clarify, I believe that under 4.9.1.2 of the BRs, either point 5, 8 or 9, Symantec is required to revoke those certificates within 7 days. There is no indication that they follow the BR requirements, the audit report even says that Symantec does not control them, just monitor them. They are a clear danger. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy