On 25/07/2017 22:28, Rick Andrews wrote:

You are correct in that most customers are indeed not prepared to deal with potential crises in the SSL system. We have all witnessed this first hand with Heartbleed, the replacement of SHA1
certificates, etc. A four month replacement window for a forced
replacement of this magnitude is unprecedented and we know that
things will break. In the recent CA survey, most major CAs reported
that replacing certificates annually is something that many
organizations are not prepared for – a conclusion that is reinforced
by the recent CA/Browser Forum vote rejecting ballot 185, which
proposed to limit the maximum validity of SSL/TLS certificates
issued by all CAs to 13 months. Do you have data leading you to
believe that this replacement can be executed with limited Internet
ecosystem disruption, particularly amongst the largest enterprises
globally whose certificates would be impacted? If so, we would welcome
seeing that data/rationale. The issues that we have all witnessed
with other forced replacement events on much longer timelines indicate that the community is not yet at a place of automation to deal with such a transition, especially in a short timeframe. In this case, forcing a distrust date of December 1, 2017 (vs. our May 1, 2018 distrust date recommendation) for certificates issued prior to June 1, 2016 increases the total number of premature replacement
certificates that would be need to be issued by approximately 50%
and gives website operators substantially less time (4 months vs.
9 months) in which to plan and execute such a replacement. A December 1, 2017 distrust date for certificates issued prior to
June 1, 2016 would introduce a known, actual, material risk to the
Internet ecosystem given the industry’s prior experience with forced
mass replacement episodes. We do not think the perceived benefit of
accelerating distrust for Symantec certificates issued before
June 1, 2016 from May 1, 2018 to December 1, 2017 (5 months of
validity) can possibly justify the significant ecosystem disruption that is likely to result from not accepting our proposed May 1, 2018
distrust date for certificates issued before June 1, 2016. We agree
with your public comments on June 19, 2017 that it is not
constructive to get into a date-based "negotiation" over the SubCA
proposal. We have worked backwards from our best estimate for how
long it would take us and our Managed CA partner(s) to implement the
SubCA proposal in a manner that allows for an orderly transition of
Symantec’s existing PKI infrastructure for SSL/TLS certificates to
a Managed CA(s) while minimizing disruption to websites and web
end-users, and have proposed aggressive, yet achievable deadlines
accordingly. As such, while we are willing to go down the SubCA path
overall, we strongly believe that this must be done in a way that
aims to minimize website disruption.

Where exactly was it suggested to distrust certificates issued before
Jun 1, 2016 on December 1, 2017?

So far most of the discussion seems to have been about distrusting
Symantec certs issued after December 1, 2017, at least as I read it.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

dev-security-policy mailing list

Reply via email to