> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of > Jakob Bohm via dev-security-policy > Sent: Wednesday, July 19, 2017 12:22 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > On 19/07/2017 17:31, Steve Medin wrote: > >> -----Original Message----- > >> From: dev-security-policy [mailto:dev-security-policy- > >> bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of > >> Jakob Bohm via dev-security-policy > >> Sent: Tuesday, July 18, 2017 4:39 PM > >> To: mozilla-dev-security-pol...@lists.mozilla.org > >> Subject: Re: [EXT] Symantec Update on SubCA Proposal > >> > >> > >> Just for clarity: > >> > >> (Note: Using ISO date format instead of ambiguous local date format) > >> > >> How many Symantec certs issued prior to 2015-06-01 expire after > 2018- > >> 06-01, and how does that mesh with the alternative date proposed > >> below: > >> > >> On 18/07/2017 21:37, Steve Medin wrote: > >>> Correction: Summary item #3 should read: > >>> > >>> 3. May 1, 2018 > >>> a. Single date of distrust of certificates issued prior to 6/1/2016. > >> (changed from August 31,2017 for certificates issued prior to > >> 6/1/2015 and from January 18, 2018 for certificates issued prior to > 6/1/2016). > >>> > > > > Over 34,000 certificates were issued prior to 2015-06-01 and expire after > 2018-06-01. This is in addition to almost 200,000 certificates that would > also need to be replaced under the current SubCA proposal assuming a May > 1, 2018 distrust date. We believe that nine months (from August 1, 2017 to > May 1, 2018) is aggressive but achievable for this transition — a period > minimally necessary to allow for site operators to plan and execute an > orderly transition and to reduce the potential risk of widespread ecosystem > disruption. Nevertheless, we urge the community to consider moving the > proposed May 1, 2018 distrust date out even further to February 1, 2019 > in order to minimize the risk of end user disruption by ensuring that website > operators have a reasonable timeframe to plan and deploy replacement > certificates. > > > > So when and why did Symantec issue 34,000 WebPKI certificates valid > longer than 3 years, that would expire after 2018-06-01 ? > > Are these certificates issued before 2015-04-01 with validity periods longer > than 39 months? > > Are they certificates issued under "special circumstances" ? > > Are they certificates with validity periods between 36 and 39 months? > >
The vast majority of these certificates were issued prior to April 1, 2015 and were subject to the 60 month rule that was in effect at the time of issuance. This population also includes several thousand that are for <39 month validity.
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy