Here are some thoughts from me: On 06/06/17 15:02, Gervase Markham wrote: > 1) Scope of Distrust
I have sought more information from Google on this. > 2) Timeline I think the question here is, what is our position, and on what basis do we decide it? If we want to impose an aggressive but achievable timeline, how do we determine what that is? Who do we ask for a second opinion? How do we evaluate statements from Symantec? > 3) SubCA Audit Type This would be very difficult to agree to without good rationale; section 8 audits are very weak things compared to the normal ones. > 4) Validation Task Ownership I have sought more information from Google on this. > 5) Use of DTPs by SubCA > > Google proposal: SubCAs may not use Delegated Third Parties in the > validation process for domain names or IP addresses. > Symantec proposal: SubCAs should be allowed to continue to use them in > situations where they already do. Our research in the last CA Communication suggests that only two small CAs do any form of delegation of domain name or IP address ownership validation. Therefore, it's not clear why Symantec would need this ability, and my sense is to say No. > 6) SubCA Audit Timing I have sought more information from Google on this. > 7) Detailed Audits > > Google proposal: Symantec may be requested to provide "SOC2" (more > detailed) audits of their new infrastructure prior to it being ruled > acceptable for use. > Symantec proposal: such audits should be provided only under NDA. > Rationale: they include detailed information of a sensitive nature. If these audits are to be useful to Mozilla, we need to be able to make them available to people of our choosing. They can be behind a login system, if we are able to give out access credentials as we choose. But an NDA is not acceptable. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
