As the perennial bad guy, I look forward to Symantec (and others) publishing certs with CT. I can data-mine the logs to get a list of their customers and target them for any number of purposes. One possibility I'm considering:
"Dear Symantec Customer: Did you hear about Symantec's recent trouble with certificate mis-issuance? We care deeply about your security, so please click on this link to verify that your own certificates have not been compromised...." The linked site, of course, will infect the person's PC with malware. Or maybe it will be a site that tries to steal their business from Symantec. I haven't decided yet. Original Message From: Matt Palmer Sent: Thursday, October 29, 2015 3:49 PM On Thu, Oct 29, 2015 at 02:17:35PM +0100, Kurt Roeckx wrote: > On 2015-10-28 22:30, Kathleen Wilson wrote: > >According to the article, here is what Google is requiring of Symantec: > > > >1) as of June 1st, 2016, all certificates issued by Symantec itself will > >be required to support Certificate Transparency > > I know this is directly copied from their blog about this, but I wonder what > it means for a certificate to support CT. Is the requirement really that > all certificates need to published in CT? Yes, I'd say that's the intention. Further, I'll wager that Chromium will refuse to trust a certificate issued after the cutoff date which chains to a Symantec root, unless it is presented with sufficient SCTs to qualify under Chromium's CT policy. If Google's *really* playing hardball, they may require all existing Symantec certs to be enumerated for a whitelist, and will refuse to trust the notBefore date, similar to how existing EV certs were grandfathered. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
