On 19/05/17 21:04, Kathleen Wilson wrote: > - What validity periods should be allowed for SSL certs being issued > in the old PKI (until the new PKI is ready)?
Symantec is required only to be issuing in the new PKI by 2017-08-08 - in around ten weeks time. In the mean time, there is no restriction beyond the normal one on the length they can issue. This makes sense, because if certs issued yesterday will expire 39 months from yesterday, then certs issued in 10 weeks will only expire 10 weeks after that - not much difference. > I prefer that this be on > the order of 13 months, and not on the order of 3 years, so that we > can hope to distrust the old PKI as soon as possible. I prefer to not > have to wait 3 years to stop trusting the old PKI for SSL, because a > bunch of 3-year SSL certs get issued this year. If we want to distrust the old PKI as soon as possible, then instead of trying to limit issuance period now, we should simply set a date after which we are doing this, and require Symantec to have moved all of their customers across to the new PKI by that time. Google are doing a phased distrust of old certs, but they have not set a date in their plan for total distrust of the old PKI. We should ask them what their plans are for that. > - I'm not sold on the idea of requiring Symantec to use third-party > CAs to perform validation/issuance on Symantec's behalf. The most > serious concerns that I have with Symantec's old PKI is with their > third-party subCAs and third-party RAs. I don't have particular > concern about Symantec doing the validation/issuance in-house. So, I > think it would be better/safer for Symantec to staff up to do the > validation/re-validation in-house rather than using third parties. If > the concern is about regaining trust, then add auditing to this. Of course, if we don't require something but Google do (or vice versa) then Symantec will need to do it anyway. But I will investigate in discussions whether some scheme like this might be acceptable to both the other two sides and might lead to a quicker migration timetable to the new PKI. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
