On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote: > > I have passed that document to Kathleen, and I hope she will be > endorsing this general direction soon, at which point it will no longer > be a draft. > > Assuming she does, this will effectively turn into a 3-way conversation > between Symantec, Google and Mozilla, to iron out the details of what's > required, with the Google proposal as a base. (Which I'm fine with as a > starting point.) > > Comments are therefore invited on what modifications to the plan or > additional requirements Mozilla might want to suggest/impose, and > (importantly) why those suggestions/impositions are necessary and > proportionate. >
Gerv, thank you for all the effort you have been putting into this investigation into Symantec's mis-issuances, and in identifying the best way to move forward with the primary goal being to help keep end-users safe. I fully support requiring Symantec to set up a new PKI on new infrastructure, and to transition to it in phases, in order to minimize the impact and reduce the risk for end-users. I think the general direction is correct, but I think there are a few details to be ironed out, such as: - What validity periods should be allowed for SSL certs being issued in the old PKI (until the new PKI is ready)? I prefer that this be on the order of 13 months, and not on the order of 3 years, so that we can hope to distrust the old PKI as soon as possible. I prefer to not have to wait 3 years to stop trusting the old PKI for SSL, because a bunch of 3-year SSL certs get issued this year. - Perhaps the new PKI should only be cross-signed by a particular intermediate cert of a particular root cert, so that we can begin to distrust the rest of the old PKI as soon as possible. - I'm not sold on the idea of requiring Symantec to use third-party CAs to perform validation/issuance on Symantec's behalf. The most serious concerns that I have with Symantec's old PKI is with their third-party subCAs and third-party RAs. I don't have particular concern about Symantec doing the validation/issuance in-house. So, I think it would be better/safer for Symantec to staff up to do the validation/re-validation in-house rather than using third parties. If the concern is about regaining trust, then add auditing to this. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy