Some more thoughts (my previous substantive comments are awaiting moderation because I foolishly sent them before subscribing)
1. Historically other CAs in this family have issued certificates which abuse wildcards, like this: https://crt.sh/?id=16640133&opt=cablint Over the several years this request has been floating, no-one from Symantec / Verisign mentioned these violations. Can we expect the same from the root which is to be granted EV in this request? Or has Symantec since put in place an effective control against this sort of wildcard abuse? If so, when? Presumably it is only a coincidence that KPMG are both Symantec's auditors and that they receive such non-conformant wildcard certificates only from Symantec even though they deal with several other CAs? 2. After changes negotiated in the Bugzilla ticket, the CA Hierarchy information currently reads: "S/MIME certs may also be issued in this CA hierarchy." Compared to the situation for SSL and Code Signing where internally operated SubCAs are specified, this is very vague. Why? What technical controls are in place to ensure that systems which issue S/MIME certs "in this CA hierarchy" are not capable of issuing an SSL server certificate ? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
