> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of Ryan > Sleevi via dev-security-policy > Sent: Tuesday, April 25, 2017 6:50 PM > To: Ryan Sleevi <r...@sleevi.com> > Cc: mozilla-dev-security-policy <mozilla-dev-security- > pol...@lists.mozilla.org>; Gervase Markham <g...@mozilla.org> > Subject: [EXT] Re: Symantec Conclusions and Next Steps > > Continuing to look through the audits, I happened to notice a few other > things that stood out, some more pressing than others. > > More pressing: > I can find no disclosure with Salesforce or crt.sh of at least two CAs that are > listed 'in scope' of the audit report, as part of > https://www.symantec.com/content/en/us/about/media/ > repository/Symantec-NFSSP-WTCA_11-30-2016.pdf > > This audit report identifies the "SureID Inc. CA2" and "SureID Inc. Device CA2" > as within scope for this audit. It would be useful to understand their lack of > disclosure, relative to the audits and to Section 5.3.2 of the inclusion policy. >
The two SureID CAs are now disclosed. They were inadvertently omitted. https://mozillacacommunity.force.com/001o0000016Uc20 https://mozillacacommunity.force.com/001o0000016Uc6M Based on https://crt.sh/mozilla-disclosures#undisclosedsummary, we also disclosed an additional version of the CSC Device CA - G2. Both versions are signed by the VeriSign Class 3 SSP Intermediate CA - G2. The previously disclosed CSC Device CA - G2 expires on August 14, 2021. Existing: https://mozillacacommunity.force.com/001o000000p4Sf2 New: https://mozillacacommunity.force.com/001o0000016UfuS We further updated CCADB to ensure it mirrors the PKI Map we are creating. As part of that effort we posted: - 39 entries that chain to roots no longer trusted by Mozilla - 10 which chain to the revoked VeriSign Class 3 SSP Intermediate CA - 13 which are either technically constrained by EKU or software constrained in Symantec operated systems, limiting issuance to code signing or time stamping authority certificates. - Additional entries to capture different versions of the same subCA, even in cases where the versions were never deployed and/or never issued end entity certificates.
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy