Symantec has also stated that Blue Coat never had possession of the private key: http://www.symantec.com/connect/blogs/symantec-protocol-keeps-private-keys-its-control
And, on an existing Mozilla bug about the issue, Rick Andrews from Symantec stated that it would have been limited to bluecoat.com: https://bugzilla.mozilla.org/show_bug.cgi?id=1276146 Mozilla's Salesforce disclosures include the Blue Coat intermediate, which is listed as under Symantec's CP and CPS: https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts If the only point of the intermediate was literally for bluecoat.com, perhaps the certificate could have used a name constraint, though I personally suspect Rick's comment was too narrow and that it could have been used to request (from Symantec) other domains legitimately owned by Blue Coat. Unless there is evidence that this intermediate is non-compliant or unusually risky in some way, for reasons other than the name "Blue Coat" on it, I don't see any reason for Mozilla to distrust this intermediate. -- Eric On Tue, May 31, 2016 at 9:56 AM, <[email protected]> wrote: > http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/ reports that > Symantec made Blue Coat (who produce MITM-capable security kit) an > intermediate CA last year. They claim its only been used for 'internal > testing'. Should we take action or trust them? > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
