On Tuesday, 25 July 2017 21:29:06 UTC+1, Rick Andrews  wrote:
> The details of this process would probably be best served in a separate 
> thread. Essentially, such a process would involve a quick assessment by the 
> community on the context and merits of the request by the customer

You want us to do Symantec's job, for which Symantec will get paid, in order to 
preserve Symantec's ongoing revenue stream despite Symantec screwing up badly 
to get themselves into this mess ?

Counter proposal: When a customer runs into such a remarkable "exception", 
Symantec pays them $5000 or fully refunds their last year of Symantec services, 
whichever is more, and encourages them to go use the money to choose a 
different CA where they might not need "exceptions" all the time. Maybe you can 
get Symantec's lawyers to make acceptance of the $5000 conditional on agreeing 
not to sue once they understand how much trouble Symantec's incompetence has 
caused for them.

> We may be more aligned on this point than your response suggests. We are in 
> agreement with you that we will cease issuing certificates under the existing 
> infrastructure and governance on December 1, 2017. At that point you could 
> stop accepting the issuance of new certificates off the existing 
> infrastructure and PKI. (See our last reply to this thread where we confirmed 
> this point, but asked for an exception process.) Our point here is that if 
> you also make December 1, 2017 the "distrust date" for all certificates 
> issued off of Symantec’s current PKI before June 1, 2016 then, in effect, you 
> will be forcing all customers to "double down" on the existing Symantec PKI

No there is no need to "double down". Your customers can and should switch to a 
CA which doesn't have a long history of "problems" due to inadequate oversight. 
Trying to retain your customer base is a commercial problem for Symantec, not a 
Web PKI trust problem. This is not "Keep Symantec being like, totally stoked 
about, like, the general vibe and stuff".

> We look forward to the broader community weighing in on this. We urge the 
> community to validate our points, especially the website operators that are 
> being forced to execute this plan. The implementation of a forced plan that 
> introduces material risks on an unrealistic timeline is inappropriate and 
> dangerous.

The underlying cause here is Symantec. This isn't a systemic problem, it's a 
Symantec problem, the only "website operators" affected are those who foolishly 
trusted Symantec to run a CA properly. A reasonable question for such website 
operators to ask would be: Where's the press release listing all the board 
members and other core leadership who were terminated as a result of their 
failure to execute their only task, providing oversight for the business so 
that it doesn't blunder into such problems ? Where's the communication from 
Symantec warning me that their failings may cause my business massive 
inconvenience and I should begin planning now to move to a different CA to 
avoid that ?
dev-security-policy mailing list

Reply via email to