Loosen the interpretation of escrow from a box surrounded by KRAs, KROs, and
access controls with a rolling LTSK and escrow could describe what many white
glove and CDN tier hosting operations do. The CDN has written consent, but the
end customer never touches the TLS cert.
> -Original
We are not making any changes at this time.
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Adrian R. via dev-security-policy
> Sent: Friday, September 01, 2017 4:09 AM
> To:
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Devon O'Brien via dev-security-policy
> Sent: Wednesday, August 09, 2017 12:24 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
>
) It is our longstanding policy not to comment on rumors or market
speculation.
From: Alex Gaynor [mailto:agay...@mozilla.com]
Sent: Wednesday, July 19, 2017 10:25 AM
To: Steve Medin <steve_me...@symantec.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: [EXT] Symantec
...@konklone.com]
Sent: Wednesday, July 19, 2017 3:43 PM
To: Steve Medin <steve_me...@symantec.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: [EXT] Symantec Update on SubCA Proposal
On Wed, Jul 19, 2017 at 11:31 AM, Steve Medin via dev-security-policy
<dev-securi
illa.org
> Subject: Re: [EXT] Symantec Update on SubCA Proposal
>
> On 7/19/2017 8:31 AM, Steve Medin wrote:
> >> -Original Message-
> >> From: dev-security-policy [mailto:dev-security-policy-
> >> bounces+steve_medin=symantec@lists.mozilla.org] On Behal
.org
> Subject: Re: [EXT] Symantec Update on SubCA Proposal
>
> On 19/07/2017 17:31, Steve Medin wrote:
> >> -Original Message-
> >> From: dev-security-policy [mailto:dev-security-policy-
> >> bounces+steve_medin=symantec@lists.mozilla.org] On Behal
ternative date proposed
> below:
>
> On 18/07/2017 21:37, Steve Medin wrote:
> > Correction: Summary item #3 should read:
> >
> > 3. May 1, 2018
> > a. Single date of distrust of certificates issued prior to 6/1/2016.
> (changed from August 31,2017 for certific
age-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Steve Medin via dev-security-policy
> Sent: Tuesday, July 18, 2017 2:23 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: [EXT] Sym
*Progress Update on SubCA RFP, Partner Selection, and Execution*
Since June 1, Symantec has worked in earnest to operationalize the SubCA
proposal outlined by Google and Mozilla and discussed in community forums. The
core of this proposal is to transfer the authentication and issuance of
> -Original Message-
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Wednesday, June 07, 2017 2:51 PM
> To: Steve Medin <steve_me...@symantec.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Cc: Kathleen Wilson <kwil...@mozilla.com>
> Su
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Friday, June 02, 2017 10:54 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Friday, May 19, 2017 11:42 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
Body__s
>
> gives me a 404 error.
>
>
> On Monday, May 15, 2017 at 11:09:41 AM UTC-4, Steve Medin wrote:
> > Gerv,
> >
> > Our response to the recent questions is posted at:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8867735
> >
> > K
://helpx.adobe.com/acrobat/kb/approved-trust-list2/_jcr_content/main-pars/download-section/download-1/file.res/aatl_technical_requirements_v14.pdf
From: Alex Gaynor [mailto:agay...@mozilla.com]
Sent: Friday, May 05, 2017 10:18 AM
To: Steve Medin <steve_me...@symantec.com>
Cc: Gervase Markham <g...@mo
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Ryan
> Sleevi via dev-security-policy
> Sent: Tuesday, April 25, 2017 6:50 PM
> To: Ryan Sleevi
> Cc:
Gerv,
Our response to the recent questions is posted at:
https://bugzilla.mozilla.org/attachment.cgi?id=8867735
Kind regards,
Steve
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Monday, May 01, 2017 10:16 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> wizard--- via dev-security-policy
> Sent: Tuesday, May 02, 2017 7:10 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: [EXT]
Gerv- Thank you for the thoughtful analysis. We are reviewing and intend to
respond to your latest proposal shortly.
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Friday, April 21, 2017 6:17 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
> -Original Message-
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Tuesday, April 11, 2017 6:42 AM
> To: Steve Medin <steve_me...@symantec.com>; Rick Andrews
> <rick_andr...@symantec.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Tuesday, April 04, 2017 9:06 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
> -Original Message-
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Thursday, April 13, 2017 9:13 AM
> To: Steve Medin <steve_me...@symantec.com>; Rick Andrews
> <rick_andr...@symantec.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
.
> -Original Message-
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Thursday, April 13, 2017 9:13 AM
> To: Steve Medin <steve_me...@symantec.com>; Rick Andrews
> <rick_andr...@symantec.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject:
Issue X: Incomplete RA Program Remediation (February - March 2017)
The only Symantec RAs capable of authorizing and issuing publicly trusted
SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur.
Symantec continues to maintain a partner program for non-TLS certificates.
Issue T: RA Program Misissuances (January 2010 - January 2017)
Program Background:
Symantec has operated an RA program designed to deliver a superior customer
experience in global markets where language skills, understanding of local
business requirements, and physical local presence are
rocess to terminate the
agreements with both partners. One partner has ceased issuance of new
certificates and the other will stop as of September 30, 2016. In both cases,
Symantec will permit continued use of the subordinate CAs solely for the
purpose of signing CRLs through November 30, 201
Issue R: Insecure Issuance API (2013 or earlier - November 2016)
In April 2015, security consultant Chris Byrne responsibly disclosed two
potential vulnerabilities related to our Quick Invite feature, which enables a
reseller to invite pre-selected customers to enroll for certificates, via
Issue P: UniCredit Sub CA Failing To Follow BRs (April - October 2016)
We are committed to keeping our customers, partners and ecosystem informed and
taking action when necessary. We recognize that there are issues we are
accountable for, such as our March 2016 CA Communication response
Issue Q: Symantec Audit Issues 2016 (December 2015 - November 2016)
In our 2014-2015 audits, certain issues were identified that we promptly took
action on, including addressing the test certificate incident. We continued
these efforts until the Point in Time audit was conducted. We split the
Issue L: Cross-Signing the US Federal Bridge (February 2011 - July 2016)
Symantec, as well as VeriSign, has participated in the FPKI since 2006, and we
take our responsibility as a participant of this program very seriously. When
Symantec began participating in FPKI, FPKI rules required two-way
Issue N: Premature Manual Signing Using SHA-1 (July 2016)
This matter represents the first time any CA attempted to follow the exception
process which was developed over the course of weeks, beginning at the Bilbao
CABF face-to-face meeting in May 2016, and with the input of our partners.
Issue E: Domain Validation Vulnerability (October 2015)
With respect to Issue E, Symantec has no additional comments regarding the
perspective outlined in the summary. Please see
Issue H: SHA-1 Issuance After Deadline (January 2016)
With respect to Issue H, Symantec has no additional comments regarding the
perspective outlined in the summary. Please see
https://cabforum.org/pipermail/public/2016-January/006519.html for further
detail on Symantec's previous commentary
Issue B: 1024-bit Certificate Issued Directly From Root (Dec 2013 - Jan
2014)
The customer in question informed us of an issue in December 2013 that
threatened to seriously disrupt their primary business, and they sought our
assistance. The customer's non-browser implementation required a
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Peter
> Gutmann via dev-security-policy
> Sent: Friday, March 10, 2017 4:15 AM
> To: Gervase Markham ; Peter Kurrasch
>
In the case of CrossCert, where we have evidence of failure to properly
document their work, we are NOT relying on their previous work and have begun
fully revalidating all active certificates. In the cases of the other 3 RAs,
our focus is reviewing all of the work previously done to verify
[mailto:r...@sleevi.com]
Sent: Wednesday, February 22, 2017 11:33 PM
To: Steve Medin <steve_me...@symantec.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com; Gervase
Markham <g...@mozilla.org>
Subject: Re: Misissued/Suspicious Symantec Certificates
Hi Steve,
Tha
gt;
Cc: Gervase Markham <g...@mozilla.org>;
mozilla-dev-security-pol...@lists.mozilla.org; Steve Medin
<steve_me...@symantec.com>
Subject: Re: Misissued/Suspicious Symantec Certificates
Hi Steve,
Two more question to add to the list which is already pending:
In [1], in response to qu
.org
> Subject: Re: Intermediates Supporting Many EE Certs
>
> On Tuesday, 14 February 2017 13:47:51 UTC, Steve Medin wrote:
> > - PKCS#7 chains are indeed not a requirement, but see point 1. It’s
> probably no coincidence that IIS supports it given awareness of the dema
. You’re dug in.
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Monday, February 13, 2017 6:45 PM
To: Steve Medin <steve_me...@symantec.com>
Cc: r...@sleevi.com; Patrick Figel <patrick@figel.email>;
mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
<g...@mozilla.o
.org
> Subject: Re: Intermediates Supporting Many EE Certs
>
> On Monday, 13 February 2017 22:40:45 UTC, Steve Medin wrote:
> > With de facto use of AIA, there is no issuer installation on the server
that
> could be improper. Proper is defined at the moment, either by cache
rmediates Supporting Many EE Certs
>
> On 13/02/2017 18:25, Ryan Sleevi via dev-security-policy wrote:
> > On Mon, Feb 13, 2017 at 8:17 AM, Steve Medin via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> >> Getting all user
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Monday, February 13, 2017 7:23 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
>
A response is now available in Bugzilla 1334377 and directly at:
https://bugzilla.mozilla.org/attachment.cgi?id=8836487
> -Original Message-
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Thursday, February 09, 2017 4:56 AM
> To: Steve Medin <steve_me...@symante
our response.
Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Monday, January 30, 2017 12:36 PM
To: Ryan Sleevi <r...@sleevi.com>
Cc: Steve Medin <steve_me...@symantec.com>; Andrew Ayer
<a...@andrewayer.nam
Symantec's auditors, KPMG, completed a scan of CrossCert certificates to
detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST,
KPMG provided a report that listed 12 problem certificates that were not in
Andrew Ayer's report. We began an investigation into that certificate
On Behalf Of Steve
> Medin
> Sent: Saturday, January 21, 2017 9:35 AM
> To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: RE: Misissued/Suspicious Symantec Certificates
>
> The listed Symantec certificates were issued by one of
The listed Symantec certificates were issued by one of our WebTrust audited
partners. We have reduced this partner's privileges to restrict further
issuance while we review this matter. We revoked all reported certificates
which were still valid that had not previously been revoked within the 24
Symantec has an additional disclosure regarding internal name certificates
valid after October 1. First, we disclose 3 certificates that remained valid
after October 1 but expired prior to our previous report. Second, we
disclose 3 certificates that were revoked as a result of our analysis but
not
Andrew, thank you for your efforts to report this issue. We are
investigating and will report our resolution, cause analysis, and corrective
actions once complete.
Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation
> -Original Message-
> From: dev-security-policy
-policy-bounces+steve_medin=symantec.com@lists.mozilla.o
rg] On Behalf Of Steve Medin
Sent: Tuesday, September 06, 2016 7:27 PM
To: Jeremy Rowley <jeremy.row...@digicert.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
<g...@mozilla.org>; Kyle Hamilton <aerow...@gma
We have become aware of this certificate and its key compromise, thank you
for this information. We are contacting the owner to understand impact to
the deployed devices, but with clear intent to revoke. We will provide
updates while we make progress.
Kind regards,
Steven Medin
PKI Policy
54 matches
Mail list logo