Symantec have supplied the audits for their GeoRoot partner "Aetna":
https://bug1334377.bmoattachments.org/attachment.cgi?id=8867397 https://bug1334377.bmoattachments.org/attachment.cgi?id=8867398 The community might find them interesting reading. These audits are the only ones Symantec received from Aetna, and are dated May 10th 2016, auditing the calendar year 2015. Aetna's intermediate has a notBefore of July 2010: https://crt.sh/?id=33549 Symantec never received any formal audits from UniCredit; I am trying to get hold of the informal ones. Their participation in the GeoRoot program started in January 2012: https://crt.sh/?CN=UniCredit+Subordinate+External So both organizations had full issuance rights for the WebPKI for over 5 years with no audit oversight whatsoever. And when it was finally done, the audit of Aetna seems to show what sort of arrangements result from that. Also, am I right in thinking that Actalis has recently cross-signed UniCredit? https://crt.sh/?id=47081615 Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy