On Tue, Mar 13, 2018 at 8:36 AM, Kai Engert via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote:
> > Wayne and I have posted a Mozilla Security Blog regarding the current
> > plan for distrusting the Symantec TLS certs.
> >
> > https://blog.mozilla.org/security/2018/03/12/distrust-
> symantec-tls-certificates/
> Hello Kathleen and Wayne,
> the blog post says, the subCAs controlled by Apple and Google are the
> ONLY exceptions.
> However, the Mozilla Firefox code also treats certain DigiCert subCAs as
> exceptions.
> Based on Ryan Sleevi's recent comments on this list, I had concluded
> that the excluded DigiCert subCAs are used to support companies other
> than Apple and Google. Is my understanding right or wrong?

I think your understanding is incorrect. The DigiCert SubCAs are being
treated as part of the Managed Partner Infrastructure (aka the consensus
plan), and the (cross-signed DigiCert Roots) are excluded to avoid path
building issues in Firefox.

That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan
referred to - what else could it be?

> Are Apple and Google really the only beneficials of the exceptions, or
> should the blog post get updated to mention the additional exceptions?

Do you think the above clarifies?
dev-security-policy mailing list

Reply via email to