info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Symantec subCAs and audits
109 views
Skip to first unread message
Charles Reiss
May 26, 2016, 6:32:12 PM5/26/16
to mozilla-dev-s...@lists.mozilla.org
Symantec has disclosed several subCAs via Salesforce and indicated that
these subCAs have the same audit as their parent, however the audit
statement they link
(https://cert.webtrust.org/SealFile?seal=1565&file=pdf) has a table of
"In-Scope CAs" which does not appear to include the following subCAs
with notBefores in or before Nov 2014 (the end of time period covered by
the last available audit) and which had issued at least one certificate
by Nov 2014:
* "VeriSign Class 3 SSP Intermediate CA - G2"
(https://crt.sh/?caid=1384) and many of its subsubCAs, including
cross-signings of the Federal Bridge CA 2013
* "Oracle SSL CA"
* "VeriSign Class 3 Extended Validation 1024-bit SSL SGC CA"
* "VeriSign Non Federal Shared Service Provider Intermediate CA"
Also, the following apparently non-in-scope subCAs have a notBefore in
or before Nov 2014 but may have not issued certs by Nov 2014:
* "VeriSign Japan Class 1 CA - G4"
* "VeriSign Japan Class 2 CA - G4"
* "VeriSign Japan Class 3 MPKI Enterprise Administrator CA - G3"
* "VeriSign Japan Class 3 MPKI Operational Administrator CA - G2"
* "Symantec Class 3 SSP Intermediate CA - G3"
* "Symantec Class 3 Admin Intermediate Certificate Authority" (is this
the same as "Symantec Class 3 Enterprise Server Admin CA" referenced in
the auditor's report?)
* "Symantec Class 3 Registration Authority Intermediate CA"
these subCAs have the same audit as their parent, however the audit
statement they link
(https://cert.webtrust.org/SealFile?seal=1565&file=pdf) has a table of
"In-Scope CAs" which does not appear to include the following subCAs
with notBefores in or before Nov 2014 (the end of time period covered by
the last available audit) and which had issued at least one certificate
by Nov 2014:
* "VeriSign Class 3 SSP Intermediate CA - G2"
(https://crt.sh/?caid=1384) and many of its subsubCAs, including
cross-signings of the Federal Bridge CA 2013
* "Oracle SSL CA"
* "VeriSign Class 3 Extended Validation 1024-bit SSL SGC CA"
* "VeriSign Non Federal Shared Service Provider Intermediate CA"
Also, the following apparently non-in-scope subCAs have a notBefore in
or before Nov 2014 but may have not issued certs by Nov 2014:
* "VeriSign Japan Class 1 CA - G4"
* "VeriSign Japan Class 2 CA - G4"
* "VeriSign Japan Class 3 MPKI Enterprise Administrator CA - G3"
* "VeriSign Japan Class 3 MPKI Operational Administrator CA - G2"
* "Symantec Class 3 SSP Intermediate CA - G3"
* "Symantec Class 3 Admin Intermediate Certificate Authority" (is this
the same as "Symantec Class 3 Enterprise Server Admin CA" referenced in
the auditor's report?)
* "Symantec Class 3 Registration Authority Intermediate CA"
0 new messages