We believe our proposed dates reflect an aggressive but achievable period of time to implement the SubCA proposal and allow impacted organizations the time needed to replace, test and operationalize replacement certificates in their infrastructure to mitigate interoperability and compatibility risk associated with this premature replacement of certificates, which is consistent with the intent of the SubCA proposal. Our proposed dates are informed by the RFP responses and follow-up discussions we have had with our prospective Managed CA partners.
From: Eric Mill [mailto:e...@konklone.com] Sent: Wednesday, July 19, 2017 3:43 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [EXT] Symantec Update on SubCA Proposal On Wed, Jul 19, 2017 at 11:31 AM, Steve Medin via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy-<mailto:dev-security-policy-> > bounces+steve_medin=symantec....@lists.mozilla.org<mailto:symantec....@lists.mozilla.org>] On Behalf Of > Jakob Bohm via dev-security-policy > Sent: Tuesday, July 18, 2017 4:39 PM > To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > > Just for clarity: > > (Note: Using ISO date format instead of ambiguous local date format) > > How many Symantec certs issued prior to 2015-06-01 expire after 2018- > 06-01, and how does that mesh with the alternative date proposed > below: > > On 18/07/2017 21:37, Steve Medin wrote: > > Correction: Summary item #3 should read: > > > > 3. May 1, 2018 > > a. Single date of distrust of certificates issued prior to 6/1/2016. > (changed from August 31,2017 for certificates issued prior to 6/1/2015 and > from January 18, 2018 for certificates issued prior to 6/1/2016). > > Over 34,000 certificates were issued prior to 2015-06-01 and expire after 2018-06-01. This is in addition to almost 200,000 certificates that would also need to be replaced under the current SubCA proposal assuming a May 1, 2018 distrust date. We believe that nine months (from August 1, 2017 to May 1, 2018) is aggressive but achievable for this transition — a period minimally necessary to allow for site operators to plan and execute an orderly transition and to reduce the potential risk of widespread ecosystem disruption. Nevertheless, we urge the community to consider moving the proposed May 1, 2018 distrust date out even further to February 1, 2019 in order to minimize the risk of end user disruption by ensuring that website operators have a reasonable timeframe to plan and deploy replacement certificates. That's pretty close to saying that nothing should happen, since almost all the certificates will have expired by then. That certainly is the least disruptive, but it seems contrary to the intent of the proposal. -- Eric _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy -- konklone.com<https://clicktime.symantec.com/a/1/AAH-mYCdy7I540ZoJM0XkW-CDP-fn5bw0sk2P0x4Bvw=?d=U4j3hHTn-UxZ1ZOfHXB7r1lDEq3pYTpkBXJxYkQlk96LvJvpQVJPahGolj9IF9urhtYGsaK_9Mffi6158JvklYeFSEsWRIpnJD82JAbPyGBp6h78ufI4ZGIR8UZNoRVvgyVmB_Lq39lujhD-qOpO1y9E3I2BCtUkhiN98DyEsGpFxqp2JqPiLWxpjzBUBE3IqSdY8Pq0ezPKtY4XG0-7KydvGYIUGOlZJnVxW6_xEJseIlanIDcdA28GGtACgaVDc2QZBHhwpJ8TUK0GgpMW2fu3QdoLf2Fq_yOaeJe1F4AMkzBFTjbk9GF9TNfXVA4dVafUoWb5IFaE6uOy6B6cXKXbZIgX-Ya4lJ0dZ2ZjCSdJSLW2NfhVWxc-FScig3WKjyr-PsV_0lY0ODqzD8M1fhjT-XPzPQ%3D%3D&u=https%3A%2F%2Fkonklone.com> | @konklone<https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy