On 2017-05-04 22:55, Alex Gaynor wrote:
I believe this further underscores finding Y, and others related to lack of
visibility into and BR-compliance of Symantec's intermediates.

The fact that we can still be finding new intermediates leaves me to wonder
if this is really the last of them, or there are still more. Personally, I
think this highlights the value of my earlier proposal, and I think it's
worth considering if, before any long term remediation strategies are
considered, such a rule requiring full disclosure and CT submission of all
Symantec CA certificates be implemented.

They were already required to disclose them, so I think just requiring them to submit them to CT it not going to change much. You would also need to enforce that all CA certificates have been submitted to CT when validating anything that that traces back to one of their CAs. Note that the subscriber certificate doesn't need to be submitted for that,
just all the CA certificates.

If we were to require submission to CT, we should probably also require that it's been submitted to CT some time before, so that we can do such checks as seeing they actually have the proper audit.

That leave what we should do with such certificates if they don't have the needed audits. And I think Mozilla already has a policy for that, which we should probably follow.


dev-security-policy mailing list

Reply via email to