On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert <k...@kuix.de> wrote:

> On 13.03.2018 15:59, Peter Bowen wrote:
> >>
> >> Which companies, other than Apple and Google, benefit from DigiCert
> >> running the Manager Partner Infrastructure and from DigiCert being part
> >> of the exclusion list?
> >
> > An unlimited set.  Any company who purchases a certificate from
> > DigiCert that is issued by one of the Managed Partner Infrastructure
> > CAs benefits.
> Thank you very much for this helpful statement.
> I understand that previously, the trust of DigiCert Partner CAs was
> enabled by signing from Symantec CAs.
> Because the keys of the managed partner CAs were never controlled by
> Symantec, it is deemed acceptable to allow these to remain trusted.
> My conclusion is, the blog post is incomplete.

I see. As I didn't write the blog post, I certainly can't speak to the
intent, but I don't agree with your conclusion.

> IIUC, the blog post should be updated to add DigiCert as another entity
> controlling subordinate CAs on the exception list.
> It might be worth to mention in the article, why the exception for these
> subordinate CAs is deemed acceptable.

The consensus plan is linked, and explains these steps. Considering the
importance of ensuring such posts are widely accessible, adding more detail
is regularly shown to be more harmful, rather than helpful, to the overall
discussion and migration.

For a blog post particularly aimed at helping site operators understand,
these nuances about whitelisted CAs only serves to add further problems. As
stated in the blog post, the Consensus Plan was adopted, and that, in
addition to the Managed Partner Infrastructure (which is fully covered in
the consensus plan), the independently-operated-and-audited Sub-CAs of
Apple and Google are being excluded.

All of this information is fully factually accurate. The confusion seems to
be stemming from reading the blog post while ignoring the Consensus Plan
(which is linked). I'm not trying to be negative, but I'm trying to
highlight that the thing you think is missing is addressed (and is linked),
and that likely represents an appropriate-level-of-detail for the likely
intended audience.

> IMHO, it is important to highlight that Apple and Google aren't the only
> entities that own certificates that will remain valid under the Symantec
> hierarchy.

That seems more likely to confuse users than to help.
dev-security-policy mailing list

Reply via email to