On Sunday, May 21, 2017 at 11:31:54 PM UTC, Michael Casadevall wrote: > There's also a fair number of points dealing with who can sign and for > what while Symantec spins up the new roots (which the Google proposal > says a trusted third party CA signed by Symantec"). > > I'm against this point specifically because third-party CA operations is > how we got into this mess.
I agree with your general concern, but the OP states: "These sub-CAs must be operated by a non-affiliated organization that operates roots currently trusted in the Android and Chrome OS trust stores that have been trusted for a period of at least two years." This to me sounds very similar in theory to Certum/Asseco doing OV for WoSign, which on this list has been considered OK. Personally, I'd rather not have any of this CA mixing, 3rd-party delegating, cross-signing of whole trees, root-buying etc. but all this stuff seems to be an integral part of current industry practice.+ I say in theory because Symantec's "good arguments" (aka monies) have the potential to make the selected CA their bi...dding doer by means of contract in reality. What else is new though? I'm positive Symantec would have always found some business arrangement with another CA for their customers that want > 9 months cert lifetime and/or EV under Google's first proposal, so we would have gotten some "Managed CA" one way or the other. Worst case it would have been mixed in with other certs, not having a dedicated subCA or other marker. Now it's explicit, separate and even has some additional rules. NSS* already trusts that other CA to do proper validation right now, and they might just be smart enough to realize that they will be watched way more closely when Symantec starts using them to not do anything totally stupid. I honestly think that this "Managed CA" will get more practical oversight both by auditors and by the community than most of the roots in NSS. + Appreciation footnote for the DTP discussion @ cabf and the GlobalSign->Google root transfer discussion on here * Android trust store seems to be a subset of NSS' _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
