Is it practical to remove the Symantec root certificates and (temporarily) add the Google and Apple intermediates to the trust store? This should facilitate removing trust in Symantec without disruption.
Alex On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In my opinion, Mozilla's and Google's plans to distrust the Thawte, > RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser, > should be interpreted as a recommendation to eventually distrust them > for all server authentication uses. > > If a CA gets distrusted for https, then I think it's fair to equally > consider it as no longer acceptable for other services like IMAPS or LDAPS. > > As Ryan said in another thread, migration of non-https services might > take a longer time to migrate. However, based on Jeremy's statement in > https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3 > I'd assume that the customer certificate migration efforts driven by > DigiCert should also cover migration of non-https services within a > reasonable amount of time, where general purpose client software is used > to connect to non-https services. > > (I'm excluding special purpose hardware with embedded restrictions, and > also excluding manually configured server to server configurations.) > > I conclude that for general purpose client software, that doesn't > implement key pinning and doesn't have restrictions on chain length, but > which wants to retain the ability to connect to services offered by > Apple or Google, the whitelisting for Apple/Google subCAs is the only > hindrance for eventual full distrust of the Symantec Root CAs. > > Are the owners of the Apple and Google subCAs able to announce a date, > after which they will no longer require their Symantec-issued subCAs to > be whitelisted? > > Thanks > Kai > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
