On 5/18/16 2:51 PM, Kathleen Wilson wrote:
Here is a summary of this discussion so far about Symantec's request to enable EV
treatment for the "VeriSign Class 3 Public Primary Certification Authority -
G4" root certificate that was included via bug #409235, and has all three trust bits
enabled.
1) The "Symantec AATL ECC Intermediate CA" needs to be revoked and added to
OneCRL. The intermediate cert has been added to Salesforce.
I'm assuming we may proceed with this request, as long as the cert is added to
OneCRL before EV treatment is actually enabled in a Firefox release.
It’s been revoked.
https://bugzilla.mozilla.org/show_bug.cgi?id=1287592
2) Questions were raised about wildcard certs in regards to the BRs. But it
sounds like for now Symantec's use of wildcard certs is not breaking any BRs.
Question for Symantec: Are any of the issued wildcard certs EV?
Symantec responded to say that they have not issued EV wildcard certs.'
3) Question raised: What technical controls are in place to ensure that systems which
issue S/MIME certs "in this CA hierarchy" are not capable of issuing an SSL
server certificate?
Answer from Symantec: We have a technical control in place for systems that
issue S/MIME certs in this CA hierarchy. Our systems use static cert templates
from which end-entity certs are issued. Those templates include an EKU value,
but do not use the serverAuth or anyExtendedKeyUsage values.
Symantec's further responses: We will be stopping SHA1 ICA usage by the
end of 2016 for SMIME. We plan to use a new ICA that has a compliant EKU
to issue SMIME certificates by the end of 2016.
For SHA-1 signed S/MIME certificates, the serial number is a 128-bit
random number, which makes the certificate contents unpredictable.
4) Intermediate certificates for this root have been loaded into Salesforce,
and are available at the following links:
https://wiki.mozilla.org/CA:SubordinateCAcerts
and
https://wiki.mozilla.org/CA:RevokedSubCAcerts
I believe that all of the questions/concerns raised during this
discussion have been resolved. So I am about ready to wrap up this
discussion and recommend approval of this request.
However, I am not finding the current WTBR audit statement for this root
certificate. I am finding the other Symantec audit statements in the
"Roots & Audit Reports" tab of
https://www.symantec.com/about/legal/repository.jsp
And I have exchanged email with the auditor to confirm the authenticity
of the audit statements.
Sanjay, Please let me know which of the audit statements on the website
contain the WTBR audit statement covering this root certificate.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
