On 04/05/17 19:30, Jakob Bohm wrote: > 1. Issue D actually seems to conflate three *completely different* > issues:
Are you sure you are not referring to the Issues List document here rather than the proposal? > 2. If the remaining unconstrained SubCAs are operated by Symantec and > subject to (retroactive if necessary) compliance audits showing that > they don't issue certs that could not (under the BR and Mozilla > policies) be issued from a public Symantec CA by an "Enterprise RA" > (as defined in the BRs), could those SubCAs not simply be > reclassified as "public SubCAs" for Mozilla/BR policy purposes while > remaining further usage limited by actual Symantec practices and > contractual arrangements beyond the BR/Mozilla policies? I'm afraid I just don't understand this. > - Is it really necessary to outsource this to bring the Symantec PKI > under control? Or was this simply copy/pasted from the > WoSign/StartCom situation? Nothing like this was proposed for WoSign/StartCom. > - If this is outsourced as suggested, how can/should Symantec > continue to serve customers wanting certificates that chain to > older CA certs in the old hierarchy. The old cross-signs the new. > - Could some of the good SubCAs under the "Universal" and "Georoot" > program be salvaged by signing them from new roots and adding the > cross certs to default Mozilla and Chrome installations (so servers > don't need to install them)? For example, if the legit EV SubCAs > under "Universal" are cross-signed by a (new) "EV-only" root, could > Mozilla move the EV trust to that new root, thus removing the > risk of EV-trusting any other "Universal" subCAs. I'm sure we'd be open to discussing implementation details like that. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy