On Wednesday, August 2, 2017 at 2:13:40 PM UTC-7, Jeremy Rowley wrote: > Today, DigiCert and Symantec announced that DigiCert is acquiring the > Symantec CA assets, including the infrastructure, personnel, roots, and > platforms. At the same time, DigiCert signed a Sub CA agreement wherein we > will validate and issue all Symantec certs as of Dec 1, 2017.
Thanks for posting this information here. Pointer to DigiCert's blog: https://www.digicert.com/blog/digicert-to-acquire-symantec-website-security-business/ > Two things I can say we plan on doing (following closing) to address > concerns are: > > a. We plan to segregate certs by type on each root. Going forward, we > will issue all SSL certs from a root while client and email come from > different roots. I would like to see all CAs move in this direction. > We also plan on limiting the number of organizations on > each issuing CA. We hope this will help address the "too big to fail" issue > seen with Symantec. By segregating end entities into roots and sub CAs, the > browsers can add affected Sub CAs to their CRL lists quickly and without > impacting the entire ecosystem. This plan is very much in flux, and we'd > love to hear additional recommendations. I greatly appreciate your consideration in this area! Perhaps there can be different subCAs for large organizations versus smaller/individual site operators (that might be covered as different brands). Of course, I'm always in favor of technically-constrained subCAs for the large organizations. And perhaps one (or more) of the subCAs can be dedicated to short-lived SSL certs, similar to Let's Encrypt? > b. Another thing we are doing is adding a validation OID to all of our > certificates that identifies which of the BR methods were used to issue the > cert. This way the entire community can readily identify which method was > used when issuing a cert and take action if a method is deemed weak or > insufficient. We think this is a huge improvement over the existing > landscape, and I'm very excited to see that OID rolled out. I would like to see all CAs move in this direction as well. Looks like you are going to be very busy! :-) Thanks, and good luck! Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
