Changes

This cert was issued directly from the root. Recently, Symantec have produced a 's [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/x_vrJtv7A0Y longer write-up] of the incident. In it, they point points out that issuance from the root is permitted by [https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_6.pdf version BRs 1.1.6], the version in force at the time, if 5 conditions are met, and they say they were met.

This cert was backdated, but that is not a BR or Mozilla policy violation, as long as it was not done to evade a technical control. It als so has  The cert had a short serial number. Entropy in the serial number is a SHOULD in BRs 1.1.6. 20 bits of entropy is a MUST in the Mozilla policy ([https://github.com/mozilla/pkipolicy/blob/2.2/rootstore/policy.md version 2.2]), but it doesn't say it has to be in the serial number - it could be that they randomised the notBefore time. I am told Microsoft removed the allowance for doing entropy in the Date field on 11th November 2013, so this was a violation of their policies. Symantec say that they got a verbal exception from Microsoft.

Symantec self-reported this issuance to Mozilla [https://bugzilla.mozilla.org/show_bug.cgi?id=966350 via Bugzilla] at the end of January 2014. Even though a [https://bugzilla.mozilla.org/show_bug.cgi?id=966350#c2 question was asked] about the BR Compliance OID that the new cert asserted, they did not comment on the bug beyond the initial report. Recently, Symantec have produced a [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/x_vrJtv7A0Y longer write-up] of the incident.