Hi Jakob, 

Your below description raises two questions of general interest (though not of 
interest to the Mozilla root program):

1. Will DigiCert establish cross-signatures from the old/historic
   Symantec roots to continuing DigiCert roots and subCAs?

[JR]  We won’t be cross-signing from DigiCert to Symantec.  For cross-signs the 
other way, we plan on supporting the community’s needs and would love to hear 
more online and offline about what cross-signs to DigiCert are needed for 
compatibility and interoperability. Mozilla proposed distrusting Symantec’s 
roots in 2018 so we’ll work towards that goal. Once it’s removed, the one-way 
trust from Symantec to DigiCert will fall out of scope.  Prior to that, the 
cross-sign will be operated per the BRs and subject to the Google and Mozilla 

2. Will DigiCert continue those Symantec services that were not trusted
   by Mozilla/Google and which have no functional alternative elsewhere.

    This includes a number of situations where Microsoft and other
   companies are enforcing that things are signed exclusively by specific
   Symantec issuance systems.  Known examples include: The original SHA-1
   time stamping service for code signing (needed for compatibility with
   older Windows and Internet Explorer versions).  The special signing
   portal for Windows Mobile (the original product line, not the new
   renamed Windows 10 Phone product line).  The "hosted" signing service
   for Android Apps.  Possibly any remnants of the Geotrust-based
   services for the old Nokia platforms (Symbian S60 etc.). Etc.

[JR] As you mentioned, none of these are trusted by Mozilla or Google so that 
discussion is better held elsewhere.  However, I can say that we plan to 
support Symantec communities to the extent possible.  The only planned 
deprecation is the Symantec publicly-trusted Web PKI.  


Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to