Extra requirement: * Symantec must notify each of it's EV and DV certificate holders once prominently at renewal time that "During the period of your last certificate, Symantec has failed to fully uphold it's duties to the Webtrust Requirements required by many browser vendors. You understand that the validity of the certificates you buy here could be terminated early if Symantec misses further requirements."
Currently, customers are blissfully unaware of the potential benefits of one CA over another, or the potential cost to them if a CA has security issues, with most marketing based on who has the biggest golden padlock image on display. Text like this will help customers make an informed decision based on a CA's security history of technical success/failures. On Thursday, October 29, 2015 at 8:49:47 PM UTC, Matt Palmer wrote: > On Thu, Oct 29, 2015 at 02:17:35PM +0100, Kurt Roeckx wrote: > > On 2015-10-28 22:30, Kathleen Wilson wrote: > > >According to the article, here is what Google is requiring of Symantec: > > > > > >1) as of June 1st, 2016, all certificates issued by Symantec itself will > > >be required to support Certificate Transparency > > > > I know this is directly copied from their blog about this, but I wonder what > > it means for a certificate to support CT. Is the requirement really that > > all certificates need to published in CT? > > Yes, I'd say that's the intention. Further, I'll wager that Chromium will > refuse to trust a certificate issued after the cutoff date which chains to a > Symantec root, unless it is presented with sufficient SCTs to qualify under > Chromium's CT policy. If Google's *really* playing hardball, they may > require all existing Symantec certs to be enumerated for a whitelist, and > will refuse to trust the notBefore date, similar to how existing EV certs > were grandfathered. > > - Matt > > -- > Of course, I made the mistake of showing [a demo application] off to my boss, > who showed it off to his boss, and suddenly I couldn't reboot my desktop box > without getting a change control approved. > -- Derick Siddoway, in a place that doesn't exist _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
