Issue P: UniCredit Sub CA Failing To Follow BRs (April - October 2016) We are committed to keeping our customers, partners and ecosystem informed and taking action when necessary. We recognize that there are issues we are accountable for, such as our March 2016 CA Communication response indicating we had disclosed all subordinate CAs. The omission of UniCredit was an oversight, it should have been disclosed as part of this March 2016 response. However, we were taking appropriate actions to address the underlying compliance issues.
We worked with UniCredit over a long period of time to enforce their compliance with audit requirements. In July 2016, we received an assessment that did not meet WebTrust audit standards. We then took action, helping UniCredit transition to a managed PKI solution for their certificate needs that did not require an audit. In parallel, we notified them of termination of their subordinate CA. Because our customers are our top priority, we attempted to minimize business disruption while they transitioned by permitting UniCredit to operate only its CRL service until November 30, 2016, at which point we would revoke the UniCredit subordinate CA. In October 2016, UniCredit issued one new certificate in violation of the terms of that transition plan. Following that, Symantec promptly revoked the UniCredit subordinate CA on October 18, 2016. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy