On 08/06/2017 11:09, Gervase Markham wrote:
On 07/06/17 22:30, Jakob Bohm wrote:
Potential clarification: By "New PKI", Mozilla apparently refers to the
"Managed CAs", "Transition to a New Symantec PKI" and related parts of
the plan, not to the "new roots" for the "modernized platform" / "new
I expect those things to be interlinked; by "New PKI" I was referring to
Symantec has not yet stated how they plan to structure their new
arrangements, but I would expect that the intermediate certs run by the
managed CAs would in some way become part of Symantec's new PKI,
operated by them, once it was up and running. Ryan laid out a way
Symantec could structure this on blink-dev, I believe, but the final
structure is up to them.
As the linked proposal was worded (I am not on Blink mailing lists), it
seemed obvious that the original timeline was:
August 2017: All new certs issued by Managed SubCAs that chain to the
old Symantec roots. Private keys for these SubCAs reside an the third
party CAs in secure hardware which will presumable prevent sharing them
Much later: The new infrastructure passes all readiness audits.
Then: A signing ceremony creates the new roots and their first set of
SubCAs. Cross signatures are created from the old roots to the new
roots. Maybe/Maybe not cross signatures are also created from the new
roots to the managed SubCAs.
Next: Symantec reapplies for inclusion with the new roots.
Later: Once the new roots are generally accepted, Symantec can
actually issue from the new SubCAs.
Long term: CRL and OCSP management for the managed SubCAs remain with
the third party CAs. This continues until the managed SubCAs expire or
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list