On 19/05/17 22:16, Rob Stradling wrote:> Are you saying that Symantec would be a Delegated Third Party that can > perform all of the validation and can trigger certificate issuance, but > that it would actually be a third-party CA that handles the new Symantec > PKI and issues certs (when triggered to do so by Symantec)?
I believe that's her suggestion, yes. The volume of validations Symantec needs to do is a concern; I believe this is why Google are permitting a phased introduction to the requirement that the validations be redone. One way to avoid this problem is, well, not requiring that the validations be redone, or allowing Symantec personnel to continue doing them. > Or, are you saying that Symantec would be permitted to operate their new > PKI in-house from day 1? This would mean allowing Symantec to run the new PKI from some form of their old infrastructure. That seems to defeat a lot of the point of requiring a new one. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
