On 01.11.2017 00:58, Jeremy Rowley via dev-security-policy wrote:
> A couple of points of clarification (as it seems to have stirred some 
> questions)
> 1. Migration to the DigiCert issuing and validation process only applies to 
> certs intended for browser use, meaning the infrastructure may issue code 
> signing, email, etc certs post Dec 1. These certs will be validated and 
> issued from existing Symantec infrastructure using Symantec validation 
> processes, at least until we finish migration to DigiCert.
> 2. When I refer to "infrastructure" I mean Symantec's validation and issuing 
> systems related to TLS certificates.  We may reuse the front end systems and 
> hardware used to provide these systems post day 1.  Note that we definitely 
> plan to migrate customers to a consolidated experience, but I want to be 
> clear and transparent about what is migrating when. Dec 1 is only the TLS 
> backend.

Jeremy, you said the classic Symantec infrastructure may continue to be
used for email certificates.

Because Mozilla maintains trust flags for email security, I conclude
that some of the Symantec Root CAs cannot be removed from the CA list in
October 2018 for Firefox 63, but rather they will have their web site
trust bit removed, only. Is this correct?

If yes, what is the subset of Root CAs that are used for email and must
continue to be included as trusted for email? Is that subset equivalent
to the set of CAs that currently have the email trust bit enabled?

Is there a schedule for the removal of Symantec's email trust bits, or
do you assume that the relevant set of Symantec Root CAs will need to be
trusted for email until they expire?

(Because code signing trust is no longer part of the Mozilla CA store,
the continued issueing of code signing certs using Symantec
infrastructure seems irrelevant for the Mozilla trust store.)

dev-security-policy mailing list

Reply via email to