RE: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Steve Medin via dev-security-policy
Our third response to questions, including these two below, is posted at Bugzilla, and directly at https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Friday, February 17, 2017 6:54 PM To: Ryan Sleevi Cc:

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote: > On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > > > On Friday, February

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > > I have confirmed with CPA >

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > I have confirmed with CPA > > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > > licensed WebTrust practitioner, as indicated

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > I have confirmed with CPA > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > licensed WebTrust practitioner, as indicated at [4]. > > [4] >

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Ryan Sleevi via dev-security-policy
Hi Steve, Two more question to add to the list which is already pending: In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter,