Here are some thoughts from me:

On 06/06/17 15:02, Gervase Markham wrote:
> 1) Scope of Distrust

I have sought more information from Google on this.

> 2) Timeline

I think the question here is, what is our position, and on what basis do
we decide it? If we want to impose an aggressive but achievable
timeline, how do we determine what that is? Who do we ask for a second
opinion? How do we evaluate statements from Symantec?

> 3) SubCA Audit Type

This would be very difficult to agree to without good rationale; section
8 audits are very weak things compared to the normal ones.

> 4) Validation Task Ownership

I have sought more information from Google on this.

> 5) Use of DTPs by SubCA
> Google proposal: SubCAs may not use Delegated Third Parties in the
> validation process for domain names or IP addresses.
> Symantec proposal: SubCAs should be allowed to continue to use them in
> situations where they already do.

Our research in the last CA Communication suggests that only two small
CAs do any form of delegation of domain name or IP address ownership
validation. Therefore, it's not clear why Symantec would need this
ability, and my sense is to say No.

> 6) SubCA Audit Timing

I have sought more information from Google on this.

> 7) Detailed Audits
> Google proposal: Symantec may be requested to provide "SOC2" (more
> detailed) audits of their new infrastructure prior to it being ruled
> acceptable for use.
> Symantec proposal: such audits should be provided only under NDA.
> Rationale: they include detailed information of a sensitive nature.

If these audits are to be useful to Mozilla, we need to be able to make
them available to people of our choosing. They can be behind a login
system, if we are able to give out access credentials as we choose. But
an NDA is not acceptable.

dev-security-policy mailing list

Reply via email to