Changes

When After this was drawn to their attention, Symantec [https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/0wSUJKnH5MY/OAJD-tWBAAAJ did not revoke] the cross-sign certificate under discussion, instead allowing it to expire . (less than By contrast, Identrust revoked their similar cross-signature in mid-late February, a month laterweek or so after being notified of the issue by Mozilla.).

Symantec [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/KKqGmzQIOno claim] that the problem is with browsers not processing certificate policy extensions which are used within the FPKI. When they realised the problem, they negotiated with the FPKI to allow the relevant cross-cert to expire rather than renewing it.