RE: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Steve Medin via dev-security-policy
A response is now available in Bugzilla 1334377 and directly at: https://bugzilla.mozilla.org/attachment.cgi?id=8836487 > -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, February 09, 2017 4:56 AM > To: Steve Medin ; mozilla-dev-security- > pol...@lis

Re: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Nick Lamb via dev-security-policy
On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote: > A response is now available in Bugzilla 1334377 and directly at: > https://bugzilla.mozilla.org/attachment.cgi?id=8836487 Thanks for these responses Steve, I believe that Symantec's decision to terminate the RA Partner programme was

Re: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Eric Mill via dev-security-policy
Though Nick's email implies the announcement, for the benefit of the list, here's Symantec's introduction at the top of their response: Based on our investigation of CrossCert, we have concerns due to (1) demonstrated non-compliance with processes and controls, (2) assertions of third party audito

Re: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Eric Mill via dev-security-policy
Also relevant are Symantec's statements about two E&Y regional auditors. One section describes contradictions from E&Y KR (Korea) in describing why some CrossCert issuing CAs were not in scope: • The list of CAs in the audit was produced by CrossCert and given to E&Y KR as the scope to audit. It

Re: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Andrew Ayer via dev-security-policy
Hi Steve, I have a few questions: 1. What criteria is Symantec using to determine if a certificate has a "deficiency" that warrants re-validation? 2. How will Symantec assess whether the domain(s) in a certificate were correctly validated? 3. Is any of the information gathered by processing age

Re: Taiwan GRCA Root Renewal Request

2017-02-12 Thread Peter Gutmann via dev-security-policy
Gervase Markham via dev-security-policy writes: >Peter: you are going to have to re-summarise your question. And then, if you >are asking why Mozilla code works in a certain way, mozilla.dev.security or >mozilla.dev.tech.crypto are almost certainly far better venues. Sure, no problem. I was ju