Ryan, Both Gerv and I posted follow up questions almost two weeks ago. I know you have been busy with CT days. When do you expect to have answers available?
Thanks, Peter On Fri, Feb 10, 2017 at 2:01 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan, > > On 09/02/17 19:55, Ryan Hurst wrote: >> - The EV OID associated with this permission is associated with GlobalSign >> and not Google and, > > Which EV OID are you referring to, precisely? > >> - GlobalSign is active member in good standing with the respective root >> programs and, >> - Google will not be issuing EV SSL certificates, >> - Google will operate these roots under their own CP/CPS’s and associated >> OIDs, >> - Google issuing a certificate with the GlobalSign OIDs would qualify as >> miss-issuance. >> >> That it would be acceptable for us not to undergo a EV SSL audit, >> and that GlobalSign could keep the EV right for the associated subordinate >> CA for the remaining validity period to facilitate the transition >> (assuming continued compliance). > > Just to be clear: GlobalSign continues to operate at least one subCA > under a root which Google has purchased, and that root is EV-enabled, > and the sub-CA continues to do EV issuance (and is audited as such) but > the root is no longer EV audited, and nor is the rest of the hierarchy? > >> When looking at this issue it is important to keep in mind Google has >> operated a WebTrust audited subordinate CA under Symantec for quite a >> long time. As part of this they have maintained audited facilities, >> and procedures appropriate for offline key management, CRL/OCSP >> generation, and other related activities. Based on this, and the >> timing of both our audit, and key transfer all parties concluded it >> would be sufficient to have the auditors provide an opinion letter >> about the transfer of the keys and have those keys covered by the >> subsequent annual audit. > > Can you tell us what the planned start/end dates for the audit period of > that annual audit are/will be? > > Are the Google roots and/or the GlobalSign-acquired roots currently > issuing EE certificates? Were they issuing certificates between 11th > August 2016 and 8th December 2016? > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy