Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Update Issue Y
Both intermediates are disclosed in Salesforce, and both have 15 or so also-disclosed sub-CAs which seem to be specific to particular companies. The audit associated with both of them in Salesforce is [https://www.symantec.com/content/en/us/about/media/repository/symantec_nfssp_wtca_5_13_2016.pdf this one] from May 2016, but that audit document does not list the intermediate CAs that it covers. It's from Symantec's 2015 set of audits (i.e. the set before the current one). The most recent audit which covers the VeriSign Universal Root Certification Authority is [https://www.symantec.com/content/en/us/about/media/repository/18_Symantec_STN_WTCA_period_end_11-30-2016.pdf this one], but these certificates are not on the accompanying list of intermediates. There seems to be no 2016 version of the "Symantec Non-Federal Shared Service Provider WTCA" audit in the list for 2016 in the Symantec [https://www.symantec.com/about/legal/repository.jsp?tab=Tab3 document repository].
As far as we can tell, these intermediates are unconstrained, unrevoked and fully capable of issuing server authentication certificates which are trusted by Mozilla browsers. They appear to be related to the US Federal Bridge PKI (see Issue L).
===Symantec Response===
Symantec has not yet responded to this issue.
