Some relevant highlights -- Symantec supporting CAA and bringing a proposal to the CAB Forum to require other CAs to do the same thing:
We have implemented support for Certification Authority Authorization, enabling customers to explicitly specify from which CAs certificates for their domains may be issued. CAA only works in practice if all CAs support it and if they all explicitly honor customers’ preferences. Symantec has been a champion of CAA and we will be submitting a proposal to make a rule change within the CA/Browser Forum to require all CAs to explicitly support CAA. Extending CT support to OV and DV certs, though it's not clear to me whether "offer" means "automatically log": ...while Certificate Transparency is an industry standard, today most CAs that support CT only log public Extended Validation certificates. Symantec does this today and is one of the few organizations that operates its own CT log servers. We have already begun to offer support for logging of Organization Validated certificates, and are planning to offer support for Domain Validated certificates for all customers as well. And they're considering letting other CAs log to their servers: We are also evaluating making our log servers freely available for all CAs to encourage their support for CT and to increase the effectiveness of CT. It seems worth strongly encouraging Symantec to open its CT log servers to other CAs -- that's all-upside for the community. I also request that Symantec make its Certificate Transparency log server code a public open source project, so that other CAs can share and contribute to the underlying infrastructure. -- Eric On Fri, Oct 2, 2015 at 2:27 PM, Kathleen Wilson <[email protected]> wrote: > Symantec's Test Certificates Incident Final Report: > > > https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report.pdf > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
