On Tuesday, June 6, 2017 at 2:03:29 PM UTC, Gervase Markham wrote:
> 1) Scope of Distrust
> Google proposal: existing CT-logged certificates issued after 1st June
> 2016 would continue to be trusted until expiry.
> Symantec proposal: all CT-logged certificates should continue to be
> trusted until expiry.
> Rationale for change: if transparency is enough to engender trust, that
> principle should be applied consistently. This also significantly
> reduces the revalidation burden.

As mentioned in the other Symantec thread, right now Firefox doesn't do CT so 
notBefore >=2016-06 is the non-CT way of at least partially distrusting the 
old/unknown PKI soon-ish. I don't think it's a good idea to just broaden this 
to 2015-01 unless we know we can do CT by 2018-02. (Not sure if we'd be able to 
defend 2016-06 alone if Google agrees to do 2015-01 though)

Then again, also in the other thread, you said "Mozilla would wish" the old PKI 
to be distrusted "sooner than November 2020" and you "expect it to be some time 
in 2018". Which I found to be a very bold proposition. Has Symantec commented 
on that yet? If not, can you make them? :-) In the event that we actually get 
2018, allowing some older certs for a few more months might be worth conceding. 
A little less technically enforcable risk reduction from 2018-02 to 2018-?? in 
exchange for the "real deal" sooner than expected sounds good.
dev-security-policy mailing list

Reply via email to