On Fri, Mar 31, 2017 at 11:39 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > As we continue to consider how best to react to the most recent incident > involving Symantec, and given that there is a question of whether it is > part of a pattern of behaviour, it seemed best to produce an issues list > as we did with WoSign. This means Symantec has proper opportunity to > respond to issues raised and those responses can be documented in one > place and the clearest overayll picture can be seen by the community. > > So I have prepared: > https://wiki.mozilla.org/CA:Symantec_Issues > > I will now be dropping Symantec an email asking them to begin the > process of providing whatever comment, factual correction or input they > feel appropriate. > > If anyone in this group feels they have an issue which it is appropriate > to add to the list, please send me email with the details.
Gerv, I believe Issue L is incorrectly dated. As can be seen on crt.sh, there are two CAs operated by the US federal Government which have been repeatedly issued certificates by various CAs trusted by Mozilla: https://crt.sh/?caid=1324 (Federal Bridge CA) https://crt.sh/?caid=1410 (Federal Bridge CA 2013) These two CAs have cross-certified each other and have been issued several certificates by VeriSign/Symantec and Digital Signature Trust/IdenTrust. The earliest date for VeriSign is 2011-02-03 and the earliest date for DST is 2011-01-14. I also think that Issue L should probably be combined with the GeoRoot items. Functionally they are the same issue: management and oversight of external subordinate CAs. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy