As an incidental, I am negatively influenced by reading Symantecs response:

On Friday, 2 June 2017 16:48:45 UTC+1, Steve Medin  wrote:

>  s-subca-proposal
> > Our primary objective has always been to minimize any potential business
> > disruption for our customers

So, Symantec's primary objective is not PK Security, PKI Trust, or Best 
Practise, or even Baseline Requirements?

> > Our CA business is led and staffed by experienced individuals around the 
> > world 
> > who serve our customers while ensuring our issuance practices comply with 
> > industry and browser requirements.  

This is fundametally inaccurate, if this was true then the issues that Mozilla 
and others have discovered wouldn't have been there to find.

> > As the largest issuer of EV and OV certificates in the industry according 
> > to 
> > Netcraft, Symantec handles significantly larger volumes of validation 
> > workloads across more geographies than most other CA’s. To our knowledge, 
> > no 
> > other single CA operates at the scale nor offers the broad set of 
> > capabilities 
> > that Symantec offers today.

So what if Symantec is the largest? If I am the busiest barman in the West and 
serving thousands of drinks an hour, if these drinks are in fact diluted down, 
the VOLUME of drinks I serve does not make up for the QUALITY of the drinks I 

Likewise, Every time Symantec issues an EV or OV certificate, they are paid, 
they make money. That's business, but if Symantec then decide not to reinvest 
in their infrastructure to support that business, why on earth should the rest 
of the PKI infrastructure have to give them some sort of special leniency?
> > Google shared this new proposal for Symantec’s CA with the community on May
> > 15. We have since been reviewing this proposal and weighing its merits 
> > against feedback we’ve heard from the broader community, including our CA 
> > customers.

If Symantec customers (who DO NOT KNOW the technical or even broader details of 
the issues at hand) have an nifluence on the way Symantec acts, it's not going 
to be best interest for the wider PKI security because it's doubtful of the 
technical knowledge available to these influncers. 

This whole blog post unfortuantely comes across as Symantec weasel-wording it's 
way out of self improvement or even real acceptance of the bad practise that 
has been documented so far.

Disappointing, but un-surprising. 

I feel Symantec needs the associated potential business penalty of running the 
risk of lost business (which I'm sure they can afford, being the biggest EV and 
OV provider in the world) to remind them, and to underline to them the 
importance of adhereing to the Baseline requirements and keeping the PKI 

dev-security-policy mailing list

Reply via email to