The current plan is to create a new root that is cross-signed by each of the four roots we've identified as critical for customers (https://bugzilla.mozilla.org/show_bug.cgi?id=1401384). If Mozilla whitelisted this sub CA, the same as Google's and Apple's, the entire issue around rapid root inclusion would be resolved. Alternatively, we can continue down the embedment path and try to get the new root ubiquitous before the Symantec distrust dates.
I think one outstanding issue is whether we create separate issuing CAs for each of the four major roots or create one new root that is cross-signed by the four roots (delivering the appropriate cross-sign as needed). My preference is to create four sub CAs to simplify the cross-signing and distribution. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Gervase Markham via dev-security-policy Sent: Tuesday, October 17, 2017 9:01 AM To: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org Cc: Peter Bowen <pzbo...@gmail.com>; Kathleen Wilson <kwil...@mozilla.com> Subject: Re: Mozilla's Plan for Symantec Roots On 17/10/17 15:50, Ryan Sleevi wrote: > That doesn't seem to line up with the discussion in > https://groups.google.com/d/topic/mozilla.dev.security.policy/_EnH2Ieu > Ztw/discussion to date. Do you have any additional information to > share? > > Note that the path you just described is the one that poses > non-trivial risk to the ecosystem, from an interoperability > standpoint, and thus may not be desirable. This seems to be because I'm not following closely enough. The exact design of complex PKIs is not my area :-) I'm sure the people who are experts will work it all out. But yes, in general, the point of the managed CAs is that they will continue to be trusted, somehow, for some additional period of time. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy