I'd just like to give the community a heads up that Chrome’s plan remains to
put up a blog post echoing our recent announcement on blink-dev , but in the
meantime, we are reviewing the facts related to Symantec’s sale of their PKI
business to DigiCert .
Recently, it has come to our attention that Symantec may have selected DigiCert
from the RFP process to become a Managed CA Partner. As defined in Google’s
first Managed CA proposal , then supported by Symantec’s commitment to
“[cover] all aspects of the SubCA proposal” , and finally reiterated in
Google’s final proposal , the requirement has always been that the Managed
Partner Infrastructure be operated by an independent and non-affiliated CA
while Symantec worked to rebuild the web community's confidence.
Based on this information, we have a series of questions that we’d like
Symantec to address for public discussion:
1. Just to confirm, Did Symantec select DigiCert to be Managed CA Partner under
the RFP process? If so, in light of DigiCert’s acquisition of Symantec’s PKI
business and Symantec’s substantial equity investment in DigiCert, can you
explain how you believe selecting DigiCert as the Managed CA Partner meets the
stated requirement of being an independent and non-affiliated organization?
2. Were any additional CAs selected to be a Managed CA Partner from the list of
trusted CAs that Symantec “felt best met the browser requirements”?
dev-security-policy mailing list