Symantec's auditors, KPMG, completed a scan of CrossCert certificates to detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST, KPMG provided a report that listed 12 problem certificates that were not in Andrew Ayer's report. We began an investigation into that certificate problem report at 6:30pm PST Thursday. Six of the certificates contained numbers in the locality, two were street addresses and four were Bangladeshi postal codes appended to the city name. Six contained the word "test" in the organization, but were false positives for legitimate organization names. We completed our investigation of these 12 certificates by requesting archived documentation. CrossCert was unable to produce documentation to prove their validation as required under BR 5.4.1. We revoked all 12 certificates within 24 hours of becoming aware of CrossCert's BR 5.4.1 non-compliance. Our investigation continues.
Links: https://crt.sh/?id=16869385 https://crt.sh/?id=11199825 https://crt.sh/?id=11633501 https://crt.sh/?id=11281299 https://crt.sh/?id=11283579 https://crt.sh/?id=12504637 https://crt.sh/?id=42016028 https://crt.sh/?id=13161832 https://crt.sh/?id=13161834 https://crt.sh/?id=13161835 https://crt.sh/?id=25211067 https://crt.sh/?id=47456180 Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
