On 08/06/2017 18:52, Peter Bowen wrote:
On Thu, Jun 8, 2017 at 9:38 AM, Jakob Bohm via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:

As the linked proposal was worded (I am not on Blink mailing lists), it
seemed obvious that the original timeline was:

   Later: Once the new roots are generally accepted, Symantec can actually
issue from the new SubCAs.

   Long term: CRL and OCSP management for the managed SubCAs remain with the
third party CAs.  This continues until the managed SubCAs expire or are

I don't see this last part in the proposal.  Instead the proposal
appears to specifically contemplate the SubCAs being transferred to
Symantec once the new roots are accepted in the required trust stores.

That last part was derived purely from the logistical difficulty of
moving private keys compared to just keeping CRL and OCSP running in an
infrastructure that would keep running anyway (for the hosting CAs own
CA certificates).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to