On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert <[email protected]> wrote: > On 13.03.2018 15:59, Peter Bowen wrote: > >> > >> Which companies, other than Apple and Google, benefit from DigiCert > >> running the Manager Partner Infrastructure and from DigiCert being part > >> of the exclusion list? > > > > An unlimited set. Any company who purchases a certificate from > > DigiCert that is issued by one of the Managed Partner Infrastructure > > CAs benefits. > > Thank you very much for this helpful statement. > > I understand that previously, the trust of DigiCert Partner CAs was > enabled by signing from Symantec CAs. > > Because the keys of the managed partner CAs were never controlled by > Symantec, it is deemed acceptable to allow these to remain trusted. > > My conclusion is, the blog post is incomplete. >
I see. As I didn't write the blog post, I certainly can't speak to the intent, but I don't agree with your conclusion. > > IIUC, the blog post should be updated to add DigiCert as another entity > controlling subordinate CAs on the exception list. > > It might be worth to mention in the article, why the exception for these > subordinate CAs is deemed acceptable. > The consensus plan is linked, and explains these steps. Considering the importance of ensuring such posts are widely accessible, adding more detail is regularly shown to be more harmful, rather than helpful, to the overall discussion and migration. For a blog post particularly aimed at helping site operators understand, these nuances about whitelisted CAs only serves to add further problems. As stated in the blog post, the Consensus Plan was adopted, and that, in addition to the Managed Partner Infrastructure (which is fully covered in the consensus plan), the independently-operated-and-audited Sub-CAs of Apple and Google are being excluded. All of this information is fully factually accurate. The confusion seems to be stemming from reading the blog post while ignoring the Consensus Plan (which is linked). I'm not trying to be negative, but I'm trying to highlight that the thing you think is missing is addressed (and is linked), and that likely represents an appropriate-level-of-detail for the likely intended audience. > IMHO, it is important to highlight that Apple and Google aren't the only > entities that own certificates that will remain valid under the Symantec > hierarchy. > That seems more likely to confuse users than to help. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
