> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of Ryan
> Sleevi via dev-security-policy
> Sent: Tuesday, April 25, 2017 6:50 PM
> To: Ryan Sleevi <r...@sleevi.com>
> Cc: mozilla-dev-security-policy <mozilla-dev-security-
> pol...@lists.mozilla.org>; Gervase Markham <g...@mozilla.org>
> Subject: [EXT] Re: Symantec Conclusions and Next Steps
> 
> Continuing to look through the audits, I happened to notice a few other
> things that stood out, some more pressing than others.
> 
> More pressing:
> I can find no disclosure with Salesforce or crt.sh of at least two CAs
that are
> listed 'in scope' of the audit report, as part of
> https://www.symantec.com/content/en/us/about/media/
> repository/Symantec-NFSSP-WTCA_11-30-2016.pdf
> 
> This audit report identifies the "SureID Inc. CA2" and "SureID Inc. Device
CA2"
> as within scope for this audit. It would be useful to understand their
lack of
> disclosure, relative to the audits and to Section 5.3.2 of the inclusion
policy.
> 

The two SureID CAs are now disclosed. They were inadvertently omitted.

https://mozillacacommunity.force.com/001o0000016Uc20 
https://mozillacacommunity.force.com/001o0000016Uc6M 

Based on https://crt.sh/mozilla-disclosures#undisclosedsummary, we also
disclosed an additional version of the CSC Device CA - G2. Both versions are
signed by the VeriSign Class 3 SSP Intermediate CA - G2. The previously
disclosed CSC Device CA - G2 expires on August 14, 2021.

Existing: https://mozillacacommunity.force.com/001o000000p4Sf2 
New: https://mozillacacommunity.force.com/001o0000016UfuS 

We further updated CCADB to ensure it mirrors the PKI Map we are creating.
As part of that effort we posted:

-       39 entries that chain to roots no longer trusted by Mozilla
-       10 which chain to the revoked VeriSign Class 3 SSP Intermediate CA
-       13 which are either technically constrained by EKU or software
constrained in Symantec operated systems, limiting issuance to code signing
or time stamping authority certificates.
-       Additional entries to capture different versions of the same subCA,
even in cases where the versions were never deployed and/or never issued end
entity certificates.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to