Can someone from Symantec clarify how their previous statements on Blue Coat's lack of ownership of this intermediate's private key will continue to apply following their acquisition of Blue Coat?
http://www.wsj.com/articles/symantec-set-to-buy-blue-coat-systems-in-4-65-billion-deal-1465774721 -- Eric On Tue, May 31, 2016 at 11:18 AM, Eric Mill <[email protected]> wrote: > Symantec has also stated that Blue Coat never had possession of the > private key: > > http://www.symantec.com/connect/blogs/symantec-protocol-keeps-private-keys-its-control > > And, on an existing Mozilla bug about the issue, Rick Andrews from > Symantec stated that it would have been limited to bluecoat.com: > https://bugzilla.mozilla.org/show_bug.cgi?id=1276146 > > Mozilla's Salesforce disclosures include the Blue Coat intermediate, which > is listed as under Symantec's CP and CPS: > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts > > If the only point of the intermediate was literally for bluecoat.com, > perhaps the certificate could have used a name constraint, though I > personally suspect Rick's comment was too narrow and that it could have > been used to request (from Symantec) other domains legitimately owned by > Blue Coat. > > Unless there is evidence that this intermediate is non-compliant or > unusually risky in some way, for reasons other than the name "Blue Coat" on > it, I don't see any reason for Mozilla to distrust this intermediate. > > -- Eric > > On Tue, May 31, 2016 at 9:56 AM, <[email protected]> wrote: > >> http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/ reports that >> Symantec made Blue Coat (who produce MITM-capable security kit) an >> intermediate CA last year. They claim its only been used for 'internal >> testing'. Should we take action or trust them? >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > > > -- > konklone.com | @konklone <https://twitter.com/konklone> > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
