On Wednesday, July 26, 2017 at 10:20:08 AM UTC-7, Alex Gaynor wrote:
> On Tue, Jul 25, 2017 at 4:28 PM, Rick Andrews via dev-security-policy
> wrote:
> 
> > Symantec has proposed timing changes that are consistent with the scope of
> > distrust of the original SubCA proposal as proposed by Google and endorsed
> > by Mozilla, which requires premature replacement of over 234,000
> > certificates based on our proposed May 1, 2018 distrust date for
> > certificates issued before June 1, 2016, and optimizes for replacement
> > certificates to be issued off the new Managed CA(s) infrastructure
> > (avoiding the requirement for double early replacement for the same
> > original validity period). We believe our proposal minimizes disruption to
> > websites and web end-users while meeting the spirit of Google’s and
> > Mozilla’s prior commentary on their intent regarding the SubCA proposal,
> > which is to limit the issuance of Symantec certificates under Symantec’s
> > existing infrastructure and governance.
> >
> 
> Hi Rick,
> 
> Given the importance of this 234,000 number, I was curious to explore.
> Using the list of certificates Peter Bowen previously put together (
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/aQqYZX6oBgAJ),
> I ran a small script to filter out ones that expire before May 2018, or
> were issued after June 2016. Using this methodlogy, I got a count of 166k,
> a deviation of ~70k from your number. My 166k includes any certificates
> that have been replaced since Peter put together the list in April, so in
> that sense it likely reflects an over estimate of the number of certs
> needing to be replaced.
> 
> Can you say a little more on how you came to this number?
> 
> Cheers,
> Alex

Our reference to over 234,000 certificates is based on our internal records of 
all active, unrevoked certificates that we issued prior to June 1, 2016 that 
expire after May 1, 2018. The dataset you reference relies on CT logs, which 
includes all active EV certificates Symantec has issued before June 1, 2016, 
but does not include all active, unrevoked OV and DV certificates Symantec has 
issued before June 1, 2016.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to