On 05/05/17 04:30, Steve Medin wrote: > Gerv, thank you for your draft proposal under consideration. We have posted > our comments and detailed information at: > https://www.symantec.com/connect/blogs/symantec-ca-continues-public-dialogue
It feels somewhat strange to have this disjointed blog-vs.forum conversation... Here are my initial reactions on reading it. It seems to me that Symantec's new statement says very little which has not been said before, and that Symantec continues to underestimate the perceived severity of the issues. An argument that "we have revalidated all of these certificates and we haven't found very many with problems" seems basically like "OK, we weren't paying attention to what was going on over there, but as far as we can tell now, turns out it was nothing bad, so that's all OK then, isn't it?" Well, no. Symantec makes much of their upcoming super-strict audit regime, but does not seem to address the concerns raised in my proposal about the limitations of audit as a mechanism for ensuring appropriate conduct. They also seem to have ceased engaging with the issues list entirely, despite the fact that issue Y, a very serious issue, seems to be developing new facets and ramifications daily. > This transparency effort included explicitly providing to Google for > whitelisting the certificates that were issued by Symantec prior to us > fully deploying CT support. I notice Chrome does not contain such a whitelist. Ryan: are you able to comment on this? > If this action is taken exclusively against Symantec, it will create > significant disruption for hundreds of thousands of customers / users > and will harm our CA business. Mozilla does not take the possible business harm to CAs into consideration - in either direction - when considering our appropriate response to a CA incident. It is unreasonable of Symantec to argue that Mozilla should only take actions which result in no harm to Symantec's business, just as it would be unreasonable for a community member to argue that Mozilla should take additional actions "because the harm isn't great enough yet to teach them a lesson" or somesuch. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy