On 05/05/17 04:30, Steve Medin wrote:
> Gerv, thank you for your draft proposal under consideration. We have posted
> our comments and detailed information at:
> https://www.symantec.com/connect/blogs/symantec-ca-continues-public-dialogue

It feels somewhat strange to have this disjointed blog-vs.forum
conversation... Here are my initial reactions on reading it.

It seems to me that Symantec's new statement says very little which has
not been said before, and that Symantec continues to underestimate the
perceived severity of the issues.

An argument that "we have revalidated all of these certificates and we
haven't found very many with problems" seems basically like "OK, we
weren't paying attention to what was going on over there, but as far as
we can tell now, turns out it was nothing bad, so that's all OK then,
isn't it?" Well, no.

Symantec makes much of their upcoming super-strict audit regime, but
does not seem to address the concerns raised in my proposal about the
limitations of audit as a mechanism for ensuring appropriate conduct.

They also seem to have ceased engaging with the issues list entirely,
despite the fact that issue Y, a very serious issue, seems to be
developing new facets and ramifications daily.

> This transparency effort included explicitly providing to Google for
> whitelisting the certificates that were issued by Symantec prior to us
> fully deploying CT support.

I notice Chrome does not contain such a whitelist. Ryan: are you able to
comment on this?

> If this action is taken exclusively against Symantec, it will create
> significant disruption for hundreds of thousands of customers / users
> and will harm our CA business.

Mozilla does not take the possible business harm to CAs into
consideration - in either direction -  when considering our appropriate
response to a CA incident. It is unreasonable of Symantec to argue that
Mozilla should only take actions which result in no harm to Symantec's
business, just as it would be unreasonable for a community member to
argue that Mozilla should take additional actions "because the harm
isn't great enough yet to teach them a lesson" or somesuch.

dev-security-policy mailing list

Reply via email to