Hi Steve, Quick questions:
1) You identified that Symantec believed that it was a responsibility to ensure your customers' businesses remain interrupted. a) What is Symantec's process for determining which of these concerns (Baseline Requirements vs customer business) has priority? b) Has that process changed in response to this incident? 2) You stated that "browsers didn't process certificate policy extensions content during path building". This fails to clarify whether you believe it was a Baseline Requirements violation, which makes no such statements regarding policy building. Further, no such browser has, except for EV, made use of any policy IDs beyond path building. a) Does Symantec believe this was a Baseline Requirements violation? b) If so, why did Symantec fail to revoke this certificate, consistent with Baseline Requirements, Section 4.9.1.2, Item 5? c) If so, why did Symantec fail to revoke this certificate, consistent with Baseline Requirements, Section 4.9.1.2, Item 10? 3) Recognizing this risk, Symantec's Terms of Use under the Baseline Requirements, Section 9.6.3, the CA is contractually obligated to include a series of requirements, including Item 8, "An acknowledgement and acceptance that the CA is entitled to revoke the certificate immediately if the Applicant were to violate the terms of the Subscriber Agreement or Terms of Use" a) Does Symantec's Subscriber Agreement or Terms of Use with the FPKI include an obligation to issue consistent with Symantec's CP/CPS? b) Does Symantec's relevant CP/CPS state that it complies with the Baseline Requirements? c) If so, does Symantec believe that such a requirement flows down to subordinate CAs? d) If not, why not? 4) What steps has Symantec taken, if any, with regard to its Subscriber Agreements or Terms of Use in light of this? 5) What steps has Symantec taken, if any, to ensure there is appropriate transparency regarding Symantec's responsibility to their customers versus responsibility to Root Program requirements? a) Specifically, what steps has Symantec taken to ensure all necessary and sufficient information to independently evaluate that tradeoff is available publicly? b) Specifically, what steps has Symantec taken to ensure that if one or more Root Programs disagree with their assessment, that appropriate steps can and will be taken by Symantec? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy