Hello m.d.s.p.,

I'd just like to give the community a heads up that Chrome’s plan remains to 
put up a blog post echoing our recent announcement on blink-dev [1], but in the 
meantime, we are reviewing the facts related to Symantec’s sale of their PKI 
business to DigiCert [2].

Recently, it has come to our attention that Symantec may have selected DigiCert 
from the RFP process to become a Managed CA Partner. As defined in Google’s 
first Managed CA proposal [3], then supported by Symantec’s commitment to 
“[cover] all aspects of the SubCA proposal” [4], and finally reiterated in 
Google’s final proposal [1], the requirement has always been that the Managed 
Partner Infrastructure be operated by an independent and non-affiliated CA 
while Symantec worked to rebuild the web community's confidence. 

Based on this information, we have a series of questions that we’d like 
Symantec to address for public discussion:

1. Just to confirm, Did Symantec select DigiCert to be Managed CA Partner under 
the RFP process? If so, in light of DigiCert’s acquisition of Symantec’s PKI 
business and Symantec’s substantial equity investment in DigiCert, can you 
explain how you believe selecting DigiCert as the Managed CA Partner meets the 
stated requirement of being an independent and non-affiliated organization? 

2. Were any additional CAs selected to be a Managed CA Partner from the list of 
trusted CAs that Symantec “felt best met the browser requirements”?

dev-security-policy mailing list

Reply via email to