In order for Symantec to reveal anybody's private keys they'd first need to have those keys, which is already, IIRC forbidden in the BRs. So even proof that Symantec routinely had these keys is a big deal. The whole reason things like CSR signing exist is that public CAs have no reason to know anybody's private key, the clue is in the name.
Beyond that I'll note that anybody reading Raymond Chen for a few weeks will learn that not every researcher who thinks they just found a smoking gun turns out to know what a gun actually is, nor sometimes what constitutes smoke. So, evidence is what we need. Neither holes in Symantec security nor overclaims from a person who misunderstood what they were seeing are unlikely. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy