Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread tarah.symantec--- via dev-security-policy
On Thursday, March 23, 2017 at 12:09:23 PM UTC-4, Ryan Sleevi wrote: > (Posting in a Google Capacity) > > I just wanted to notify the members of this Forum that we have started an > Intent to Deprecate and Remove, consistent with our Blink process, related to > certain certificates issued by

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread tarah.symantec--- via dev-security-policy
On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: > Dear Tarah, > > Below some friendly speculation as to what the parts that some bloggers > claimed was included (if those claims were somehow true) might have > been (i.e. where *you* might look for it in internal Symantec >

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread tarah.symantec--- via dev-security-policy
> Yep, but there must have been an API (at some level) for generating or > processing the QuickInvite URL. That was what I was suggesting might > have been the issue. So, it's hard for me to answer this question because I didn't see any POC, but 1) it's not physically possible for private keys

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread tarah.symantec--- via dev-security-policy
> > Yeah OK, I got a few things wrong on my blog post, I can fix that shortly. > It's no big deal. At least I'm informing people about security - claiming > that we're just "looking for hits" is ridiculous. Most people pay no > attention to security, I can't speak for others but I'm trying to