On Thu, Mar 1, 2018 at 11:14 AM, Kai Engert <k...@kuix.de> wrote:
> Hello Ryan,
> thanks again for this response. The situation appears very complex. I
> might follow up with a couple of clarification questions, that are
> hopefully simple to answer. Let me start with this one:
> Chromium will whitelist the SPKIs of a "CN=DigiCert Transition ECC Root"
> and a "CN=DigiCert Transition RSA Root" certificate, as found in this
> Are there any Apple systems, servers, infrastructure, devices, that rely
> on any of these DigiCert transition Root CAs?
> Are there any Google systems, servers, infrastructure, devices, that
> rely on any of these DigiCert transition Root CAs?
> The point of my question is to clarify, if the DigiCert transition Roots
> are completely separate from the Apple/Google subCA whitelisting
I'm not sure how to interpret the Apple/Google question, but yes, they are
treated as completely separate.
The distinction here between the "Managed Sub-CA" and "Independently
Operated Sub-CA" goes back to the announced Managed Partner Infrastructure
plan. The Managed Sub-CAs have requirements imposed on them (such as CT or
audit frequency), as part of the risk-mitigation for the Managed Partner
Infrastructure plan, that the IOSCs did not.
dev-security-policy mailing list