Hi Kathleen, My recommendation is for Mozilla to reject this request from Symantec on the grounds that it is unnecessary. As others have pointed out recently, the chief function of a CA is to certify identity. That certification should be ably met with the regular cert issuance procedures rendering the EV procedures superfluous. That, or perhaps the CA knows of certain weaknesses in the regular identification process that have been remedied for the EV process? Perhaps EV is a way of saying, "No, seriously you guys, this time we really, really identified the cert applicant."
Whatever the case may be, I don't see how turning on EV benefits Mozilla users. If basic identity is sufficiently established for regular certs, and that being the chief function of CA's, what improvement will EV enablement possibly produce? Thanks. Original Message From: Kathleen Wilson Sent: Wednesday, May 18, 2016 4:58 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Request to enable EV for VeriSign Class 3 G4 ECC root Here is a summary of this discussion so far about Symantec's request to enable EV treatment for the "VeriSign Class 3 Public Primary Certification Authority - G4" root certificate that was included via bug #409235, and has all three trust bits enabled. 1) The "Symantec AATL ECC Intermediate CA" needs to be revoked and added to OneCRL. The intermediate cert has been added to Salesforce. I'm assuming we may proceed with this request, as long as the cert is added to OneCRL before EV treatment is actually enabled in a Firefox release. 2) Questions were raised about wildcard certs in regards to the BRs. But it sounds like for now Symantec's use of wildcard certs is not breaking any BRs. Question for Symantec: Are any of the issued wildcard certs EV? 3) Question raised: What technical controls are in place to ensure that systems which issue S/MIME certs "in this CA hierarchy" are not capable of issuing an SSL server certificate? Answer from Symantec: We have a technical control in place for systems that issue S/MIME certs in this CA hierarchy. Our systems use static cert templates from which end-entity certs are issued. Those templates include an EKU value, but do not use the serverAuth or anyExtendedKeyUsage values. 4) Intermediate certificates for this root have been loaded into Salesforce, and are available at the following links: https://wiki.mozilla.org/CA:SubordinateCAcerts https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=Symantec%20/%20VeriSign Symantec’s revoked intermediate certs have not yet been loaded into Salesforce. As per https://wiki.mozilla.org/CA:Communications#March_2016_Responses Symantec plans to enter this data by June 30, 2016. This request is still under discussion, so please continue to provide your input. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
