Hi Jeremy, Will the certificates being issued for Symantec starting December 1st be issued under the existing DC roots, or under new roots?
Alex On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy < [email protected]> wrote: > Hi everyone, > > > > Today, DigiCert and Symantec announced that DigiCert is acquiring the > Symantec CA assets, including the infrastructure, personnel, roots, and > platforms. At the same time, DigiCert signed a Sub CA agreement wherein we > will validate and issue all Symantec certs as of Dec 1, 2017. We are > committed to meeting the Mozilla and Google plans in transitioning away > from > the Symantec infrastructure. The deal is expected to close near the end of > the year, after which we will be solely responsible for operation of the > CA. > From there, we will migrate customers and systems as necessary to > consolidate platforms and operations while continuing to run all issuance > and validation through DigiCert. We will post updates and plans to the > community as things change and progress. > > > > I wanted to post to the Mozilla dev list to: > > 1. Inform the public, > 2. Get community feedback about the transition and concerns, and > 3. Get an update from the browsers on what this means for the plan, > noting that we fully commit to the stated deadlines. We're hoping that any > changes > > > > Two things I can say we plan on doing (following closing) to address > concerns are: > > a. We plan to segregate certs by type on each root. Going forward, we > will issue all SSL certs from a root while client and email come from > different roots. We also plan on limiting the number of organizations on > each issuing CA. We hope this will help address the "too big to fail" > issue > seen with Symantec. By segregating end entities into roots and sub CAs, > the > browsers can add affected Sub CAs to their CRL lists quickly and without > impacting the entire ecosystem. This plan is very much in flux, and we'd > love to hear additional recommendations. > b. Another thing we are doing is adding a validation OID to all of our > certificates that identifies which of the BR methods were used to issue the > cert. This way the entire community can readily identify which method was > used when issuing a cert and take action if a method is deemed weak or > insufficient. We think this is a huge improvement over the existing > landscape, and I'm very excited to see that OID rolled out. > > > > Thanks a ton for any thoughts you offer. > > > > Jeremy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
