To me, the most noticable difference between how Google and Mozilla can take action is with regards to exisiting certs. As proposed, Google has a really neat timeline to get rid of Symantec's questionable legacy stuff quickly and effectively. (Legacy stuff which we - and arguably Symantec themselves judging from their responses on here so far - still don't have a complete picture of).
Come 2018-01-18 (8 months from now), Google could comfortably say it _actually_ only trusts (relatively) new Symantec certs - thanks to the 2016-06 CT requirement. No more undisclosed old subCAs that are technically capable of issuing trusted certs, no more reliance on notBefore which could technically be faked; if they choose to do so, Google can enable unconditional technical enforcement of CT for all things Symantec and everyone who is interested can use the logs to get a complete picture of what will actually be trusted in Chrome 65. Mozilla doesn't have this (yet). Google's first proposal would have been great because if all certs have to be reissued within a year anyway to be trusted by Chrome (~ half of the browser market), Mozilla could have at least implemented a simple notBefore check to latch on to that legacy purge. With the new proposal, the "minimal disruption" solution for Firefox will require keeping the legacy stuff around for another 3.5-4 years and better solutions will now be a lot harder to sell without the leverage provided by Google. Quite unfortunate development. This has the potential to end up mirroring the WoSign response, where Mozilla and Apple sanction new certs via notBefore and then... wait - worst case up to 3.5 years - while Google acts and effectively gets rid of the legacy in < 1 year using technical restrictions.* Now I can't think of any fix other than "copy Chrome -> enforce CT" or "prematurely distrust older certs anyway -> make everyone hate or ditch Mozilla", maybe someone else knows a way. As it stands, I suspect that in all likelihood Chromium will again have the better code solution over Firefox, which is kinda meh, but whatever. :-) * FTR: Google fucked up majorly by not communicating their plan and deadlines for WoSign clearly. Critical info on future distrust steps was only vaguely hinted at in the single proper announcement made on this. Still, it's awesome to see the agreed upon policy change (= distrust current WoSign, have them start fresh with new roots) implemented within a reasonable timeframe. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
