The original Mozilla plan was to distrust around Sep 2018. We're still planning for that date, but would appreciate it if trust was permitted around a single intermediate (say the DigiCert Global Trust G2 root?). If we need to use a separate root with no other certs as the transition, we could create one. I know my team would prefer it as the Global Trust G2 root is our primary SHA2 root.
-----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Wednesday, September 20, 2017 10:21 AM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On Tue, Sep 19, 2017 at 8:39 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > The current end-state plan for root cross-signing is provided at > https://bugzilla.mozilla.org/show_bug.cgi?id=1401384. The diagrams there show > all of the existing sub CAs along with the new Sub CAs and root signings > planned for post-close. Some of these don’t have names so they are lumped in > a general “Intermediate” box. > > The Global G2 root will become the transition root to DigiCert for customers > who can’t move fully to an operational DigiCert roots prior to September > 2018. Any customers that require a specific root can use the transition root > for as long as they want, realizing that path validation may be an issue as > Symantec roots are removed by platform operators. Although we cannot > currently move to a single root because of the lack of EV support and trust > in non-Mozilla platforms, we can move to the existing three roots in an > orderly fashion. > > If the agreement closes prior to Dec 1, the Managed CA will never exist. > Instead, all issuance will occur through one of the three primary DigiCert > roots mentioned above with the exception of customers required to use a > Symantec root for certain platforms or pinning. The cross-signed Global root > will be only transitory, meaning we’d hope customers would migrate to the > DigiCert roots once the systems requiring a specific Symantec roots are > deprecated or as path validation errors arise. Jeremy, Am I correct that a key input into this plan was the Mozilla plan to fully remove the Symantec roots from the trust store before then end of 2018? Google seemed to suggest they would keep trusting them for a longer period with a restriction on which subordinate CAs are trusted. Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
