The current plan is to create a new root that is cross-signed by each of the
four roots we've identified as critical for customers
(https://bugzilla.mozilla.org/show_bug.cgi?id=1401384). If Mozilla
whitelisted this sub CA, the same as Google's and Apple's, the entire issue
around rapid root inclusion would be resolved. Alternatively, we can
continue down the embedment path and try to get the new root ubiquitous
before the Symantec distrust dates.  

I think one outstanding issue is whether we create separate issuing CAs for
each of the four major roots or create one new root that is cross-signed by
the four roots (delivering the appropriate cross-sign as needed). My
preference is to create four sub CAs to simplify the cross-signing and
distribution.

Jeremy

-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Gervase Markham via dev-security-policy
Sent: Tuesday, October 17, 2017 9:01 AM
To: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org
Cc: Peter Bowen <pzbo...@gmail.com>; Kathleen Wilson <kwil...@mozilla.com>
Subject: Re: Mozilla's Plan for Symantec Roots

On 17/10/17 15:50, Ryan Sleevi wrote:
> That doesn't seem to line up with the discussion in 
> https://groups.google.com/d/topic/mozilla.dev.security.policy/_EnH2Ieu
> Ztw/discussion to date. Do you have any additional information to 
> share?
> 
> Note that the path you just described is the one that poses 
> non-trivial risk to the ecosystem, from an interoperability 
> standpoint, and thus may not be desirable.

This seems to be because I'm not following closely enough. The exact design
of complex PKIs is not my area :-) I'm sure the people who are experts will
work it all out.

But yes, in general, the point of the managed CAs is that they will continue
to be trusted, somehow, for some additional period of time.

Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to