Here's my roundup of things I think we should require of Symantec. * Mozilla would wish, after 2017-08-08, to alter Firefox such that it trusts certificates issued in the "new PKI" directly by embedding a set of certs or trust anchors which are part of that PKI, and can therefore distrust any new cert which is issued by the old PKI on a "notBefore" basis. Symantec need to arrange their new PKI and provide us with sufficient information to be able to do that. Google also require this AFAICS, so it should not be difficult.
* Mozilla would wish, at some point in the future sooner than November 2020 (39 months after August 2017), to be certain that we are fully distrusting the old Symantec PKI. As things currently stand technically, this would mean removing the roots, and so Symantec would have to move their customers to the new PKI at a rate faster than natural certificate expiry. Rather than arbitrarily set a date here, we are willing to discuss what date might be reasonable with Symantec, but would expect it to be some time in 2018. * If any additional audit is performed by Symantec, including but not limited to one that "that includes a description of the auditor’s tests of controls and results", then the intended users of the audit report must also include persons who assist in decisions related to the trusted status of Certification Authorities within Mozilla products. For any audit to unusually detailed criteria, it is permitted to place this information behind a login (or require it to be so placed) as long as Mozilla is allowed to give access to any member of our community that we wish.[0] None of these things, as far as I can see, would need Google to change their plan. Have I missed anything? If we want to request changes in the Google plan to accommodate something we want to do, I think we may need to do so pretty soon. Gerv [0] AIUI, this is a technical thing relating to auditor standards and the intended users of a report. The aim here is to make it effectively public without making it actually public, to work around some issues in this space. Don't worry about it. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
