On 01.03.2018 18:45, Ryan Sleevi via dev-security-policy wrote: >> >> The point of my question is to clarify, if the DigiCert transition Roots >> are completely separate from the Apple/Google subCA whitelisting >> requirements. >> > > I'm not sure how to interpret the Apple/Google question, but yes, they are > treated as completely separate.
I'm trying to have a clearer understanding about "who needs what". Let me reword it. Google requests that certain subCA SPKIs are whitelisted, to ensure continued trust of Symantec-issued certificates that are used by infrastructure that is operated by Google. Is whitelisting the SPKI found in the Google subCA sufficient to achieve the need of trusting Google's server infrastructure? I assume the answer is yes. If I'm right, and the answer is "yes", then it means that whitelisting the SPKIs from the DigiCert transition Roots isn't required for Google's servers. It's required for continued trust of other, non-Google server systems. Or rephrasing again: There are no Google servers that use certificates from DigiCert's Managed Partner Infrastructure. I further assume that it's possible to replace the word Google with the word Apple in all previous paragraphs, and the statements are still correct. Thanks Kai _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy