On Tue, May 09, 2017 at 07:03:16PM +0200, Kurt Roeckx via dev-security-policy 
> Instead of the removal of the roots, I suggest we either ask them
> to revoke all the intermediate CAs that do not have the required
> audits or that Mozilla adds them to OneCRL.

Just to clarify, I believe that under of the BRs, either
point 5, 8 or 9, Symantec is required to revoke those certificates
within 7 days. There is no indication that they follow the BR
requirements, the audit report even says that Symantec does not
control them, just monitor them. They are a clear danger.


dev-security-policy mailing list

Reply via email to