> On May 10, 2017, at 11:52, Gervase Markham via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> I would appreciate people's comments on the details of the current draft.

I don’t think that this proposal goes far enough.

Symantec has demonstrated that they have no interested in engaging with the 
Mozilla community about these issues. Over the past months, dozens of relevant 
and important questions have been asked of Symantec by community members, and 
most of them remain unanswered to this day. In most cases, when questions were 
answered, it was only after setting a deadline, at the last possible moment of 
that deadline, and in a format that made it very hard to track responses and 
ask follow-up questions.

Given this lack of constructive engagement, the recent request that we “pause” 
making any decisions, and the breathtaking severity of the issues discovered, I 
believe that the only objective should be to minimize risk to users of the 
Mozilla root store by removing the Symantec roots as quickly as possible. 
Trusted roots are a privilege and a responsibility, not a right, and Symantec 
has demonstrated that they are not capable of fulfilling that responsibility at 
this time.

With that in mind and taking into account the responses to previous incidents, 
I believe the following actions should be taken as part of the proposed ‘new 
PKI’ plan:

1) Immediate removal of EV treatment from all certificates issued by existing 
Symantec roots.

2) The establishment of a cutoff date a few months from now after which new 
certificates issued from existing Symantec roots will no longer be trusted 
based on notBefore. A variant of this is already in the proposal, but the 
timeline is unclear.

3) Complete removal of existing Symantec roots from the trust store as quickly 
as possible while limiting user impact, using the Chrome accelerated expiry 
proposal as a starting point.

dev-security-policy mailing list

Reply via email to