On 04/05/17 19:30, Jakob Bohm wrote:
> 1. Issue D actually seems to conflate three *completely different*
>   issues:

Are you sure you are not referring to the Issues List document here
rather than the proposal?

> 2. If the remaining unconstrained SubCAs are operated by Symantec and
>   subject to (retroactive if necessary) compliance audits showing that
>   they don't issue certs that could not (under the BR and Mozilla
>   policies) be issued from a public Symantec CA by an "Enterprise RA"
>   (as defined in the BRs), could those SubCAs not simply be
>   reclassified as "public SubCAs" for Mozilla/BR policy purposes while
>   remaining further usage limited by actual Symantec practices and
>   contractual arrangements beyond the BR/Mozilla policies?

I'm afraid I just don't understand this.

>    - Is it really necessary to outsource this to bring the Symantec PKI
>     under control?  Or was this simply copy/pasted from the
>     WoSign/StartCom situation?

Nothing like this was proposed for WoSign/StartCom.

>    - If this is outsourced as suggested, how can/should Symantec
>     continue to serve customers wanting certificates that chain to
>     older CA certs in the old hierarchy.

The old cross-signs the new.

>    - Could some of the good SubCAs under the "Universal" and "Georoot"
>     program be salvaged by signing them from new roots and adding the
>     cross certs to default Mozilla and Chrome installations (so servers
>     don't need to install them)?  For example, if the legit EV SubCAs
>     under "Universal" are cross-signed by a (new) "EV-only" root, could
>     Mozilla move the EV trust to that new root, thus removing the
>     risk of EV-trusting any other "Universal" subCAs.

I'm sure we'd be open to discussing implementation details like that.


dev-security-policy mailing list

Reply via email to