In my opinion, Mozilla's and Google's plans to distrust the Thawte, RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser, should be interpreted as a recommendation to eventually distrust them for all server authentication uses.
If a CA gets distrusted for https, then I think it's fair to equally consider it as no longer acceptable for other services like IMAPS or LDAPS. As Ryan said in another thread, migration of non-https services might take a longer time to migrate. However, based on Jeremy's statement in https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3 I'd assume that the customer certificate migration efforts driven by DigiCert should also cover migration of non-https services within a reasonable amount of time, where general purpose client software is used to connect to non-https services. (I'm excluding special purpose hardware with embedded restrictions, and also excluding manually configured server to server configurations.) I conclude that for general purpose client software, that doesn't implement key pinning and doesn't have restrictions on chain length, but which wants to retain the ability to connect to services offered by Apple or Google, the whitelisting for Apple/Google subCAs is the only hindrance for eventual full distrust of the Symantec Root CAs. Are the owners of the Apple and Google subCAs able to announce a date, after which they will no longer require their Symantec-issued subCAs to be whitelisted? Thanks Kai _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
