Hi Steve, I'm writing to you in your role as the Primary Point of Contact for Symantec with regard to the Mozilla Root Program. I am writing with a list of Mozilla-specific additions to the consensus remediation proposal for Symantec, as documented by Google.
We note that you have raised a number of objections and queries with regard to the consensus proposal. As you know, we are considering our responses to those. We reserve the right to make additional requests of Symantec in relation to any changes which might be made to that proposal, or for other reasons. However, we have formulated an initial list of Mozilla-specific addenda to the consensus proposal and feel now is a good time to pass them on to Symantec for your official consideration and comment. We would prefer comments in mozilla.dev.security.policy (to which this notice has been CCed), and in any event by close of business on Monday 12th June. 1) Mozilla would wish, after the 2017-08-08 date as documented in the consensus proposal, to alter Firefox such that it trusts certificates issued in the "new PKI" directly by embedding a set of certs or trust anchors which are part of that PKI, and can therefore distrust any new cert which is issued by the old PKI on a "notBefore" basis. We therefore require that Symantec arrange their new PKI and provide us with sufficient information in good time to be able to do that. 2) Mozilla would wish, at some point in the future sooner than November 2020 (39 months after 2017-08-08, the date when Symantec need to be doing new issuance from the new PKI), to be certain that we are fully distrusting the old PKI. As things currently stand technically, distrusting the old PKI would mean removing the roots, and so Symantec would have to move their customers to the new PKI at a rate faster than natural certificate expiry. Rather than arbitrarily set a date here, we are willing to discuss what date might be reasonable with Symantec, but would expect it to be some time in 2018. As you know, Firefox currently does not act upon embedded CT information, and so CT-based mechanisms are not a suitable basis for us to determine trust upon. Were that to change, we may be able to consider a continued trust of CT-logged certs, but would still want to dis-trust non-CT-logged certs sooner than November 2020. 3) If any additional audit is performed by Symantec, including but not limited to one that "that includes a description of the auditor’s tests of controls and results", then the intended users of the audit report must also include persons who assist in decisions related to the trusted status of Certification Authorities within Mozilla products. For any audit to unusually detailed criteria, it is permitted to place this information behind a login (or require it to be so placed) as long as Mozilla is allowed to give access to any member of our community that we wish. We look forward to hearing Symantec's response to these requirements. With best wishes, Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
