Given that we're past the 7/31 deadline and the comments in support of
following Chrome's lead, it sounds likely that that's what's happening. And
I think that's an understandable conclusion for Mozilla to draw, given the
compatibility risk Mozilla would be leading on for at least several months.

However, I think Mozilla should consider the larger precedent being set by
Mozilla deferring to such a significant relaxation in enforcement by Chrome
in such a complete way.

It's quite possible that Chrome's original proposed timetable was too
aggressive, but their final proposed timetable is quite weak, and it seems
like participants here generally agree that a partial distrust date in
December, preceding the holiday season, would be a reasonable conclusion.

I find it particularly disheartening that Symantec has been able to
successfully deploy hardball tactics to obtain more favorable treatment
from Google, and now likely Mozilla. As has been discussed amply on this
list, Symantec engaged the bare minimum necessary with the Mozilla
community, repeatedly missed or just made deadlines, and refused to answer
follow-up questions from community participants.

On at least one occasion, Symantec publicly pressured Mozilla to halt
public discussion about independent enforcement in favor of waiting for
Google's decision, from what appeared to be barely contained glee from
managing to get Google executives involved to slow down the process and
obtain a weaker proposal.

I also want to point out that Symantec's customer communication from around
July 11th, as shared on blink-dev:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/
eUAKwjihhBs/smcHvd2HAgAJ

Instructs their customers to replace all of their certificates issued
before June 2016 by August 8th:


One aspect of Google’s proposal is that starting August 8, 2017, Chrome
would gradually begin mistrusting all Symantec branded certificates issued
before June 1, 2016.

We urge you take prompt action in order to avoid the risk of having your
certificates mistrusted by Google’s Chrome browser. At the end of this
email is an instruction to identify your certificates that are at risk, and
the date which Google has stated they may begin mistrusting them.

We recommend that you replace these certificates prior to August 8, 2017 to
minimize any disruption.


Symantec is referencing dates from a previous Chrome proposal by Ryan
Sleevi:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/
eUAKwjihhBs/ovLalSBRBQAJ

But Chrome's proposal only references August 8th as the date Symantec
should be issuing all certificates from their managed PKI. The proposal
said that existing certs issued before June 2015 would be distrusted on
August 31st, and existing certs issued before June 2016 would be issued in
January 2018.

The net effect of Symantec's customer communication is that Symantec sent
its customers into a low-grade panic by waiting for almost 2 months from
the May proposal date to send them an email that, for most customers,
certainly appears to suggest that in 3 weeks, all their pre-June-2016 certs
will start causing errors.

The Symantec references a list of specific dates per-cert, which presumably
match Chrome's specific proposal, but I can tell you that I have observed
Symantec customers interpret this communication as an impending August 8th
distrust date for existing Symantec certificates in Chrome.

I find it quite plausible that Symantec deliberately encouraged unnecessary
anxiety among their customer base by delaying this notice and overstating
the severity of the distrust event, to validate their arguments about risk
to internet service availability and to strengthen their negotiating
position with Google.

But even if their intent was not quite so bad-faith, Symantec's handling of
this process was at the very least highly disorganized and belligerent, to
the point that I think Mozilla would be within their rights to lose
confidence in Symantec's future participation in the Mozilla root program.

So whatever Mozilla chooses to do, I hope that it reflects Mozilla's
independent assessment of the risk posed to their users by Symantec's
current certificate corpus and their expected participation in the program,
and that it reinforces Mozilla as an independent party in future
negotiations with other members of their root program.

-- Eric

On Fri, Jul 28, 2017 at 2:14 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Google have made a final decision on the various dates they plan to
> implement as part of the consensus plan in the Symantec matter. The
> message from blink-dev is included below.
>
> Most of the dates have consensus - the dates for Symantec to implement
> the Managed CA infrastructure are agreed by all, and the date for final
> distrust of the old Symantec PKI is agreed by Google and Mozilla (to
> within a week, at any rate). I proposed November 1st 2018. Google has
> gone for October 23rd 2018; in practical terms, we would implement that
> using Firefox 63 (October 16th) or 64 (November 27th).
>
> However, there is some difference in the proposals for the date on which
> browsers should dis-trust Symantec certificates issued before June 1st,
> 2016. This date is significant because after that, Symantec have been
> required to log all their certs to CT and so there is much better
> transparency of issuance practice. I proposed December 1st 2017. Google
> strongly considered late January, but have finally chosen April 17th 2018.
>
> We now have two choices. We can accept the Google date for ourselves, or
> we can decide to implement something earlier. Implementing something
> earlier would involve us leading on compatibility risk, and so would
> need to get wider sign-off from within Mozilla, but nevertheless I would
> like to get the opinions of the m.d.s.p community.
>
> I would like to make a decision on this matter on or before July 31st,
> as Symantec have asked for dates to be nailed down by then in order for
> them to be on track with their Managed CA implementation timetable. If
> no alternative decision is taken and communicated here and to Symantec,
> the default will be that we will accept Google's final proposal as a
> consensus date.
>
> Gerv
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to