On 19/05/17 22:10, Jakob Bohm wrote: > Necessity: Whitelists in various forms based on such CT log entries, > as well as the SCTs in OCSP responses can provide an alternative for > relying parties checking current certificates even if the cleanup at > Symantec reveals a catastrophic breach during the past 20+ years.
Do you know anyone who would consider shipping such a whitelist? I suspect size considerations would rule it out, given that this was the concern raised for much smaller lists of certs. And if we did want to ship it, we would just ask Symantec for a list of certificates - no need for all this. > Necessity: The Mozilla root program also cares about S/MIME > certificates, so those should get the same measures as WebPKI > certificates. That sems a very weak justification for requiring something which would be a ton of work and require us to invent a new CT redaction scheme for S/MIME certs. None of the issues raised related to S/MIME. > Proportionality: This is a natural consequence of the overall plan, > and simply formalizes what is otherwise implied, namely that Symantec > doesn't issue new certs from the old infrastructure except as strictly > necessary. That is not an implied outcome. Symantec can issue as many certs as they want from the old infrastructure; it's just that browsers will no longer trust them. I'm totally certain Symantec's existing PKI will keep running for many years to come to support non-publicly-trusted use cases. > 7. All stated requirements except the premature expiry shall apply to > time stamping signatures and certificates for timestamps certifying a > time prior to the first deadline. Mozilla does not care about such certificates. > 9. Symantec shall be allowed and obliged to continue operation of the > special "managed signing" services for which it has in the past been > granted a technically enforced monopoly by various platform vendors, Mozilla does not care about such certificates. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
