I broadly echo many of the comments and thoughts of Martin Heaps earlier in 
this thread.

Much of Symantec's response is disheartening, especially in the "inaccuracies": 
(the apparent dichotomy between how they have acted and their statement that 
they only employ the best people implementing best practice to ensure 
compliance, etc.)

There is one aspect, however, which I feel needs the greatest amount of 

Symantec has in multiple aspects raised what I believe to be reasonable 
concerns and doubts regarding the practicality of implementation of the 
proposed out-of-house managed CA transition in a timely fashion.

Symantec has made numerous claims as to necessary qualifications, necessary 
up-scaling, necessary integrations, etc.

Ultimately, I do think that the question which arises is:

Can an already third-party work with Symantec to stand up new infrastructure 
and processes and staffing and integration in a sufficiently timely manner to 
be relevant to this discussion?

If it takes so long to stand this up that Symantec could alternatively stand up 
a new, distinct root CA infrastructure and get that included faster....  does 
it even become relevant to migrate to a managed CA model for a period of time?

How much critical analysis of the potential marketplace and realities of 
achieving such a relationship with another CA and qualification that there 
exist a market of CAs who could timely handle the load, etc. can reasonably be 
performed by the browser programs and/or the larger relying party community?

Is what has been demanded of Symantec reasonable?  Moreover...  What if the 
requested remedy is actually infeasible?  Where does that leave us and where 
does that leave Symantec?  If a managed CA running their issuance for a time is 
demonstrably infeasible in a relevant time frame, what's the fallback position?

dev-security-policy mailing list

Reply via email to