On Wed, Apr 12, 2017 at 4:53 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 11/04/17 22:08, Eric Mill wrote: > > I'll leave it to others to opine on the severity of the mistake and the > > quality of the response, but I do want to at least properly communicate > the > > impact. > > Thank you. I have updated my write-up for Issue L. > Great. I see one inaccuracy in the text there right now: When this was drawn to their attention, Symantec did not revoke the cross-sign certificate under discussion, instead allowing it to expire (less than a month later). The cross-signature was brought to Symantec's attention in mid-February 2016. The certificate expired at the end of July 2016. The current text says "less than a month later". I believe that "less than a month later" is meant to reference the time between when Symantec obtained concurrence from the Federal PKI about undoing the cross-signature, and when the certificate expired. Identrust revoked their similar cross-signature in mid-late February, a week or so after being notified of the issue by Richard Barnes (then of Mozilla). -- Eric > > Gerv > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill Senior Advisor, Technology Transformation Service, GSA eric.m...@gsa.gov, +1-617-314-0966 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy