Hey Peter,
I think the Mozilla and Google plans both stand as-is, although probably need
an updated based on this announcement. I'm hoping that the high-level concepts
remain unchanged:
- Migrate to a new infrastructure
- Audit the migration and performance to ensure compliance
- Improve operational transparency so the community has assurances on what
is happening.
Jeremy
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org]
On Behalf Of Peter Kurrasch via dev-security-policy
Sent: Wednesday, August 2, 2017 8:01 PM
To: mozilla-dev-security-policy <[email protected]>
Subject: Re: DigiCert-Symantec Announcement
This certainly shakes things up! I've had my concerns that Symantec's plan was
complicated and risky, but now I'm wondering if this new path will be somewhat
simpler--yet even more risky? I'm not suggesting we shouldn't take this path
but I am hoping we make smart, well-thought-out decisions along the way.
Some thoughts:
* Will there be other players in Symantec's SubCA plan or is DigiCert the only
one?
* Is DigiCert prepared (yet?) to commit to a "first day of issuance" under the
SubCA plan? That is, when is the earliest date that members of the general
public may purchase certs that chain up through the new "DigiCert SubCA" to any
of the Symantec roots? I hope that, for issues that may arise under the new
system, there is sufficient time to identify and resolve them prior to the
2017-12-01 deadline.
* I think the idea of a smart segregation plan for the roots and intermediates
is a must-have. Such a plan should factor in the clientele who are using the
different roots and the environments in which they operate. Given how important
the "ubiquitous roots" are, I would hope to see community involvement and
"sign-off", if you will.
* I think it's appropriate to re-think some of the deadlines, given that we're
talking less about a carrots-and-sticks model and more of one based on smart
decision-making, good risk management, and sticks.
Finally, when I went to read the DigiCert blog post, I noticed that John
Merrill's link for the agreement announcement was a dud. I don't know why but I
really don't care either. I think it serves as a reminder that mistakes are
going to be made during this process so it's best to make allowances for that
in the plans going forward. That, and attention to detail is important.
Thanks.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
