On Tue, Apr 11, 2017 at 6:02 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hi Ryan, > > On 10/04/17 16:38, Ryan Sleevi wrote: > > 1) You're arguing that "the issuance of this cert didn't impose risk on > > anyone but this specific customer" > > a) What factors lead you to that decision? > > Can you lay out for us a scenario where this issuance might impose risk > on someone else? > Sure. Consider the ecosystem risk where if every CA were to continue issuing 1024-bit certs. This imposes a risk on the collective users of the ecosystem, but notably Mozilla users, when accessing these sites, because it provides a weaker security guarantee than other sites. That is, it means the 'effective' security of the lock is gated on 1024-bit. Similarly, if we accept that 1024-bit does no one but the subscriber any harm, then it meaningfully prevents disabling 1024-bit support for leaf certs, both for Mozilla and the ecosystem. Importantly though, I think the question highlights the principle at play here - which is Symantec seems to view the Baseline Requirements as "The Baseline Suggestions that should be Requirements for our Competitors but Recommendations for Us". That is deeply problematic, and it's useful to understand from Symantec what factors go in to such determinations, in order to determine whether or not Symantec is, has been, or can be trustworthy. > > 2) You've noted that you did not disclose it due to "contractual > > obligations to protect the customer's privacy", which "remains in force". > > a) If a contractual obligation is in conflict with the Baseline > > Requirements, do you have a process defined to resolve that conflict? If > > so, please fully describe it. > > Do you think this particular contractual obligation to privacy _is_ in > conflict with the BRs? If so, which section? > The obligation itself, no, but the results of that obligation unquestionably are. I think it's in conflict with trustworthiness for Symantec to have policies that would prevent it from meaningfully disclosing certificates that are misissued (whether according to the Baseline Requirements or Symantec's CP/CPS), because it prevents and impairs the ability to understand the scope of the issues or the truthfulness of Symantec's claims. I'm deeply concerned with the suggestion that details of BR violations either cannot or should not be disclosed. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
