Hi Steve, Quick questions:
1) Why was Symantec unable to operate the CRL service for Unicredit? 2) Pursuant to Section 5.7.1 of the Baseline Requirements, Symantec, and all of its sub-CAs, are required to document business continuity and disaster recovery procedures. Had Unicredit been operating according to the Baseline Requirements, it would have documented such a plan for review. a) What are Symantec's conditions for activating this plan for Symantec? b) How regular do you test this plan for Symantec? c) What requirements do you have regarding awareness and education? 3) Symantec was only permitted to not revoke this subordinate, pursuant with the Baseline Requirements, Section 4.9.1.2, Item 8 if and only if the Issuing CA (Symantec) has made arrangements to continue maintaining the CRL/OCSP repository? a) Can Symantec clarify what it believes is permitted and not permitted under their interpretation of this section? b) Please specifically document what arrangements were made, if any, - such as providing contracts and agreements. c) Please specifically document what steps Symantec took, if any, to ensure those requirements were met? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy