Hi Peter, Ryan is the chain-building expert, and others have deeper knowledge of how the new Symantec/DigiCert PKI is going to work than I do, but here's an attempt to answer your question.
On 27/10/17 16:51, Peter Bowen wrote: > If DigiCert generates a new online issuing CA on 20 March 2018 and > cross-signs it using their VeriSign Class 3 Public Primary > Certification Authority - G5 offline root CA, will certificates from > this new issuing CA be trusted by Firefox? If so, what are the > parameters of trust, for example not trusted until the new CA is > whitelisted by Mozilla or only trusted until a certain date? Certificates chaining up to Symantec roots, so including that Verisign one, which have notBefore dates after June 2016 (which I assume these would) will continue to be trusted until the full removal of trust in Symantec in October 2018. They may be trusted beyond that if this new issuing CA is one of the ones DigiCert asks us to whitelist for Symantec continuity (the "Managed Partner Infrastructure"). Although I'm generally expecting DigiCert to create and submit a single list of such CAs at one time, rather than submitting them in dribs and drabs. > What about the same scenario except the new issuing CA is generated on > 30 June 2019? As the Verisign root would no longer be in our root store, certs issued by such an issuing CA would no longer ordinarily be trusted. If this were a whitelisted continuity issuing CA, it might still be trusted. If I recall correctly, the future trust parameters for those continuity CAs is undefined by the consensus plan. It says that they will continue to work until any new Symantec hierarchy is in all the root stores, but that was defined before the purchase was mooted. So it seems to me like there is now a question mark here. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
