On Friday, 28 July 2017 08:15:43 UTC+2, Gervase Markham wrote: > Google have made a final decision on the various dates they plan to > implement as part of the consensus plan in the Symantec matter. The > message from blink-dev is included below. > > Most of the dates have consensus - the dates for Symantec to implement > the Managed CA infrastructure are agreed by all, and the date for final > distrust of the old Symantec PKI is agreed by Google and Mozilla (to > within a week, at any rate). I proposed November 1st 2018. Google has > gone for October 23rd 2018; in practical terms, we would implement that > using Firefox 63 (October 16th) or 64 (November 27th). > > However, there is some difference in the proposals for the date on which > browsers should dis-trust Symantec certificates issued before June 1st, > 2016. This date is significant because after that, Symantec have been > required to log all their certs to CT and so there is much better > transparency of issuance practice. I proposed December 1st 2017. Google > strongly considered late January, but have finally chosen April 17th 2018. > > We now have two choices. We can accept the Google date for ourselves, or > we can decide to implement something earlier. Implementing something > earlier would involve us leading on compatibility risk, and so would > need to get wider sign-off from within Mozilla, but nevertheless I would > like to get the opinions of the m.d.s.p community. > > I would like to make a decision on this matter on or before July 31st, > as Symantec have asked for dates to be nailed down by then in order for > them to be on track with their Managed CA implementation timetable. If > no alternative decision is taken and communicated here and to Symantec, > the default will be that we will accept Google's final proposal as a > consensus date. > > Gerv
I can understand that it would be safest (from the point of PR) to remove their roots more or less at the same time as Chrome. But the simple fact that Symantec is still playing "to big to fail" shows that THEY will not do what is in the interest of the browser users... Browsers and browser users will therefore have to fend for themselves. I'd say allowing them until november 1st is a very generous implementation of "some time in 2018" and will have to do for them. After all they have been dragging their feet for months now. They could actually have used all that wasted time... ;-) CU Hans _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
