On 05/21/2017 02:37 PM, userwithuid wrote: > To me, the most noticable difference between how Google and Mozilla can take > action is with regards to exisiting certs. As proposed, Google has a really > neat timeline to get rid of Symantec's questionable legacy stuff quickly and > effectively. (Legacy stuff which we - and arguably Symantec themselves > judging from their responses on here so far - still don't have a complete > picture of). >
There's also a fair number of points dealing with who can sign and for what while Symantec spins up the new roots (which the Google proposal says a trusted third party CA signed by Symantec"). I'm against this point specifically because third-party CA operations is how we got into this mess. I rather cap new certificate length from the existing roots as both a way to light a fire under Symantec and to avoid the same old mistakes. Michael _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
