Inspired by David's message, 2 suggestions for the Symantec plan: 1. Mozilla - and ideally Google as well - should clearly and explicitly communicate in the official statement on this that the "new" Symantec will still be strictly monitored even after the current remediation plan has been implemented. Their issue history still very much counts, potentially resulting in much harsher responses to future policy violations than would be the case for first-time offenders/other CAs. This is to counter the potential misconception (aka marketing) that everything is totally fine now.
2. Having Symantec inform their subscribers, as David mentions, is a great idea. Specifically, I think Symantec should be required to make their subscribers aware of the Mozilla-written! statement regarding the future of their CA, soon (<=1 month?) after its release. This is to prevent too many subscribers from getting caught by surprise in the future (see StartCom), to give them a chance to see more than one side, CA view _and_ Mozilla view, and to ensure they know they are Symantec subscribers in the first place (RapidSSL cert chaining to a GeoTrust root bought from some reseller = Symantec? yeah, totally obvious...). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
