On 2017-05-04 22:55, Alex Gaynor wrote:
I believe this further underscores finding Y, and others related to lack of
visibility into and BR-compliance of Symantec's intermediates.
The fact that we can still be finding new intermediates leaves me to wonder
if this is really the last of them, or there are still more. Personally, I
think this highlights the value of my earlier proposal, and I think it's
worth considering if, before any long term remediation strategies are
considered, such a rule requiring full disclosure and CT submission of all
Symantec CA certificates be implemented.
They were already required to disclose them, so I think just requiring
them to submit them to CT it not going to change much. You would also
need to enforce that all CA certificates have been submitted to CT when
validating anything that that traces back to one of their CAs. Note that
the subscriber certificate doesn't need to be submitted for that,
just all the CA certificates.
If we were to require submission to CT, we should probably also require
that it's been submitted to CT some time before, so that we can do such
checks as seeing they actually have the proper audit.
That leave what we should do with such certificates if they don't have
the needed audits. And I think Mozilla already has a policy for that,
which we should probably follow.
dev-security-policy mailing list