In addition to requesting disclosure of intermediates that have been (even if not currently are) able to issue server certs, and the catchall, both of which seem excellent, I encourage Mozilla to consider asking these questions as part of an implemented remedy plan.
That is, put in motion Mozilla's plan of action given all the information available today, but note that certain modifications are possible should Symantec provide in responses to these queries additional information Mozilla considers useful and actionable. For example, consider executing the planned phase out of all existing symantec certs by early next year, with distrust of all existing roots at that time, and a limit on new cert lifetimes of 13 months. But should symantec become a leader in reducing cert lifetimes with the stand up of a clean PKI (cf. Eric Mill's proposal), then Mozilla would strive to (a) include the new roots by next year, and (b) accept certs with lifetime of 27 months. Or, should symantec be able to verifiably demonstrate other things (e.g. a complete map of their PKI inter-relations, and all parts that are non-BR compliant and thus should be distrusted), then the old ones might not be removed. Yes, this is harder on the coders (I sympthasize), but how much longer can the current situation (and the risks it does pose *today*) go on? On Monday, May 8, 2017 at 1:08:27 PM UTC-4, richm...@gmail.com wrote: > On Monday, May 8, 2017 at 1:24:28 PM UTC+1, Gervase Markham wrote: > > I think it might be appropriate to have a further round of questions to > > Symantec from Mozilla, to try and get some clarity on some outstanding > > and concerning issues. Here are some _proposed_ questions; feel free to > > suggest modifications or other questions, and I will decide what to send > > officially to Symantec in a few days. Please focus on formulating > > questions which would have an effect on Mozilla's view of Symantec or > > our response to the recent issues. > > How about adding a catch all: > > Are you aware of any information that might have an effect on Mozilla's view > of Symantec, our response to the recent issues or any of any further issues > that have not been disclosed to us so far? > > Cheers > > Rich. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy