Hi Steve, On 27/01/17 01:30, Steve Medin wrote: > Here is an attached PDF update regarding this certificate problem report.
Thanks for the update. Here are some questions: * It's not clear what the problem is with the issuance in category F. I don't see any mention of "dev119money.com" in Andrew's initial report. Can you explain (and provide a crt.sh link)? * Root Cause, bullet 2 refers to "certificates issued between July 2016 and January 2017"; is it correct that this corresponds to categories A (one of four certificates), B, D, E and F? * What processes, other than requiring and inspecting a WebTrust report, does Symantec have in place to ensure that its RAs behave in accordance with the CP and CPS of the Symantec-owned roots under which they are issuing? (Perhaps this will be covered in the report you will issue after the "additional follow-up" steps are completed?) * Do such processes include regular, occasional or any review of the audit logs which show the overriding of compliance failure flags? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy