On 08/06/2017 11:09, Gervase Markham wrote:
On 07/06/17 22:30, Jakob Bohm wrote:
Potential clarification: By "New PKI", Mozilla apparently refers to the
"Managed CAs", "Transition to a New Symantec PKI" and related parts of
the plan, not to the "new roots" for the "modernized platform" / "new

I expect those things to be interlinked; by "New PKI" I was referring to
them both.

Symantec has not yet stated how they plan to structure their new
arrangements, but I would expect that the intermediate certs run by the
managed CAs would in some way become part of Symantec's new PKI,
operated by them, once it was up and running. Ryan laid out a way
Symantec could structure this on blink-dev, I believe, but the final
structure is up to them.

As the linked proposal was worded (I am not on Blink mailing lists), it seemed obvious that the original timeline was:

August 2017: All new certs issued by Managed SubCAs that chain to the old Symantec roots. Private keys for these SubCAs reside an the third party CAs in secure hardware which will presumable prevent sharing them with Symantec.

  Much later: The new infrastructure passes all readiness audits.

Then: A signing ceremony creates the new roots and their first set of SubCAs. Cross signatures are created from the old roots to the new roots. Maybe/Maybe not cross signatures are also created from the new roots to the managed SubCAs.

  Next: Symantec reapplies for inclusion with the new roots.

Later: Once the new roots are generally accepted, Symantec can actually issue from the new SubCAs.

Long term: CRL and OCSP management for the managed SubCAs remain with the third party CAs. This continues until the managed SubCAs expire or are revoked.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to