(Posting in an official capacity) Jakob,
As the initial message said: "You can participate in this discussion at https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs " I've removed the cross-post, to ensure that threads do not fork due to members being subscribed to one list versus the other. I know this is a new approach, and appreciate your understanding as we try to work through the challenges. On Thu, Mar 23, 2017 at 3:54 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 23/03/2017 20:27, Ryan Sleevi wrote: > >> On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> On 23/03/2017 17:09, Ryan Sleevi wrote: >>> >>> (Posting in a Google Capacity) >>>> >>>> I just wanted to notify the members of this Forum that we have started >>>> an >>>> Intent to Deprecate and Remove, consistent with our Blink process, >>>> related >>>> to certain certificates issued by Symantec Corporation. >>>> >>>> This is a proposed plan, not a final commitment, and we welcome all >>>> feedback from members of this Forum to understand the risks and >>>> challenges. >>>> To understand the goals of this process, you can find more details at >>>> https://www.chromium.org/blink >>>> >>>> You can participate in this discussion at >>>> https://groups.google.com/a/ch >>>> romium.org/forum/#!topic/blink-dev/eUAKwjihhBs >>>> >>>> >>>> According to the linked document, Google is intending to distrust *all* >>> Symantec issued certificates with a validity longer than 9 months, >>> which is less that the 12 month validity normally being the minimum >>> that site operators can purchase from CAs such as Symantec. >>> >>> It is also worth noting that this is apparently scheduled to occur less >>> than 12 months from now (The document refers to Chrome/Blink version >>> numbers with no associated dates, but contains a mention that one of >>> the relevant releases would happen over the "winter holiday", >>> presumably Christmas 2017). >>> >>> Since I know of no commercial (as opposed to free) CAs that routinely >>> sell certificates with a duration of less than 12 months, this seems >>> highly draconian and designed to drive Symantec out of the CA business. >>> >>> It also seems to ignore every mitigating factor discussed in this >>> group, including those posted by Symantec themselves. >>> >>> For example the cited number of "30,000" affected certificates seems to >>> come from the number of certificates that Symantec is actively double >>> checking to ensure they were *not* misissued in a way similar to the >>> original 127. >>> >>> It would seem that the only way to remain interoperable with both >>> Chrome and the legacy devices and systems that trust only Symantec >>> owned roots, would be if Chrome's TLS implementation somehow identified >>> itself to servers as being a Chrome-based implementation before servers >>> present their certificate. >>> >>> The computing world at large would be significantly inconvenienced if >>> Symantec was forced to close down its CA business, in particular the >>> parts of that business catering to other markets than general WebPki >>> certificates. >>> >> >> >> > The above message (and one by Symantec) were posted to the > mozilla.dev.security.policy newsgroup prior to becoming aware of > Google's decision to move the discussion to its own private mailing > list and procedures. I would encourage everyone concerned to keep the > public Mozilla newsgroup copied on all messages in this discussion, > which seems to have extremely wide repercussions. > > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
