On 19/05/17 21:04, Kathleen Wilson via dev-security-policy wrote: <snip>
Hi Kathleen. I'm not quite sure how to interpret this part...
- I'm not sold on the idea of requiring Symantec to use third-party CAs to perform validation/issuance on Symantec's behalf. The most serious concerns that I have with Symantec's old PKI is with their third-party subCAs and third-party RAs. I don't have particular concern about Symantec doing the validation/issuance in-house. So, I think it would be better/safer for Symantec to staff up to do the validation/re-validation in-house rather than using third parties. If the concern is about regaining trust, then add auditing to this.
Are you saying that Symantec would be a Delegated Third Party that can perform all of the validation and can trigger certificate issuance, but that it would actually be a third-party CA that handles the new Symantec PKI and issues certs (when triggered to do so by Symantec)?
Or, are you saying that Symantec would be permitted to operate their new PKI in-house from day 1?
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
