On 28/07/2017 18:36, David E. Ross wrote:
On 7/28/2017 6:34 AM, Alex Gaynor wrote:
Frankly I was surprised to see Chromium reverse course on this -- they have
a history of aggressive leadership in their handling of CA failures, it's a
little disappointing to see them abandon that.

I'd strongly advocate for us perusing an earlier date -- December 1st at
the latest. Reasons:

1) Chromium's stated reason for avoiding dates around the holidays makes no
sense -- organizations with change freezes they need to adhere to have a
simple solution: obtain and deploy a new certificate at an earlier date!
They have 4 months between now and December 1st, if you can't deploy a cert
in 4 months, I submit you have larger problems.

2) It is important that CAs not be rewarded for the length of time this
process takes. CAs should be encouraged and rewarded for active
participation and engagement in this list.

3) Mandatory CT (well, mandatory for trust in Chromium) is a significant
win for security and transparency. At the moment, even discussing the
parameters of the distrust is complicated by the fact that we have limited
visibility into the iceberg of their PKI before June 1st, 2016 (see the
other thread where I attempt to discuss the count they provide of
outstanding certs that would be impacted). Given the challenges we know
exist in their legacy PKI, I think it's fair to say that continuing to
trust these certs represents real risk for our users's security.


I strongly agree.  The focus must be on protecting end-users, not on
Symantec or on Symantec's customers.

Symantec must know who has subscriber certificates that chain to
Symantec's roots.  Those customers could all be notified very quickly
that their certificates are about to be distrusted.  Those customers
would then have ample time to obtain and install replacement subscriber
certificates chaining to alternative roots of other certification

As for any disruption of secure transactions, consider the abrupt
termination of DigiNotar when that certification authority was found to
have serious lapses in its operations.  The world did not end.

Note that DigiNotar was a country-local CA, not a global CA.  The risk
profile (for distrust, not for mis-issuance) was much lower.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to