This seems like a very reasonable stance for Mozilla to take: strongly encourage a new Symantec PKI so they start with a clean slate, otherwise staged distrust of all existing certificates with the requirement that Symantec produce a full document/diagram of how the components of their PKI are connected so that the non-BR-compliant bits can be "chopped off" from trust via OneCRL.
Given Symantec's propensity for responding right at deadlines, might I suggest that, should Symantec not choose to stand up a new PKI, that you set a reasonable deadline for the production of the document described above? Perhaps May 12th? Also, in the responses, Symantec claims that MSC Trustgate is no longer an RA (but could be a reseller). I did a quick search on crt.sh for recent certificates that have supplied by MSC Trustgate: https://crt.sh/?Identity=%25MSC+Trustgate.com+Sdn+Bhd It looks to me like MSC is now a globalsign reseller (sure, why not). But one certificate stood out: https://crt.sh/?id=68658151 Going back to April 2013, this is the *only* "supplied by MSC trustgate" certificate in crt.sh that chains off a Symantec root; all others are Globalsign. Can Symantec confirm that they vetted this (OV) certificate in-house? While I suppose MSC could supply certs from multiple CAs, I find it odd that everything in the logs since April 2013 is Globalsign except this one outlier -- and am concerned it means there was some mechanism for MSC to issue / have issued a cert off a Symantec chain -- and this concerns me given the higher nominal level of validation. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy