On Tue, Feb 13, 2018 at 4:40 PM, Kai Engert via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> For the second distrust phase in Autumn 2018, assume that all Symantec
> customers (excluding the managed CAs that are covered by the whitelisted
> subCA SPKIs) have been fully migrated off of the old CA hierarchies.
> This assumption isn't limited to SSL/TLS server certificates used for
> services intended to be consumed by web browsers, but includes all
> SSL/TLS server certificates, including those used for non-https services
> (e.g. email or LDAP servers).

I think this sounds pretty risky.

> Based on this assumption, follow Mozilla's plan to fully remove all
> SSL/TLS trust flags from most Symantec Roots. The exception are the
> three GeoTrust Roots, that have been used to issue the subCAs that
> require special whitelisting in browsers. Because I don't expect such
> whitelisting to get implemented broadly in non-browser software on
> Fedora Linux, use the following approach: Continue to fully trust these
> three GeoTrust Roots for SSL/TLS, for as long as Mozilla continues to
> keep the subCA whitelisting active.

So, I think this is conflating the "Independently Operated Sub-CAs" (of
Google and Apple) with the "Managed Partner Infrastructure" of DigiCert.

Using your proposed plan, you are also proposing to distrust the Managed
Partner Infrastructure at that date (by not maintaining any of the other
roots). That is a very different plan than I think what others have
publicly commented on to date. It's unclear to me whether 100% of
DigiCert's Managed Partner Infrastructure issued certificates will have
transitioned at this time, and what impact that may have.

> Does this sound like a reasonable stragegy?

Given the above concerns, I think that sounds rather substantially
different than what's been announced as part of the Managed Partner
Infrastructure transition document, and may be riskier.

> > Separate from this, DigiCert was selected as the Managed Partner
> > Infrastructure for Symantec. Setting aside the acquisition of Symantec's
> > PKI business, DigiCert is running sub-CAs underneath Symantec roots, to
> > issue certificates for customers to enable them to make a smooth and
> > orderly transition to other CAs - including DigiCert's own roots.
> Does this mean, there are additional organizations (besides Apple,
> Google and DigiCert) that have been assigned subCAs, that are operated
> by DigiCert, which were previously depending on the Symantec Roots, and
> which are now being migrated by DigiCert to DigiCert Roots?

No, but it means that there are DigiCert-operated Intermediates under
non-GeoTrust roots that are being used to actively issue certificates which
are trusted in Chrome today, as part of the Managed Partner Infrastructure,
and which do not chain to DigiCert roots, but Symantec roots.
dev-security-policy mailing list

Reply via email to