We want to share the latest update on the Symantec distrust plan and seek input from the community. Below is a high level summary:
The majority of root program operators plan to either partially or fully distrust Symantec roots by Q3 CY 2018, and no later than Q2 CY 2019. All TLS certificates issued from these roots will be impacted. Please see list of roots below. We've contacted all of the impacted customers so everyone should be fully aware of the need at this point, even if some subscribers are waiting to replace their certificates until after the summer. Key Dates . March 2018 - Beginning of phased removal of trust by root program operators for Symantec TLS certificates issued prior to June 1, 2016. . October 2018 - Full removal of trust of Symantec-issued TLS certificates by root program operators. . By no later than Q2 CY 2019 - Full removal of Symantec-issued TLS certificates from all major root program operators. The cert transition extends beyond TLS certificates, and we plan to migrate most publicly-trusted non-TLS certificate issuance to DigiCert roots on October 1st. However, the exception list of customers unable to migrate s/MIME certificates will be larger than the TLS-side as these certificates are often used with government ID cards or in facilities without ready access. We'll work with these customers to replace their issuing CAs with DigiCert issuing CAs so all certificates going forward will chain to one of the ten DigiCert root certificates. I'd definitely love the feedback on the above and public comments. Impacted Roots and Usage: Root EKU GeoTrust Global CA Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping GeoTrust Global CA 2 Server Authentication; Client Authentication; Code Signing; Secure Email; Time Stamping GeoTrust Primary Certification Authority Server Authentication; Client Authentication; Secure Email; Code Signing GeoTrust Primary Certification Authority - G2 Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping GeoTrust Primary Certification Authority - G3 Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping GeoTrust Universal CA Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping GeoTrust Universal CA 2 Server Authentication; Client Authentication; Code Signing; Secure Email; Time Stamping Symantec Class 1 Public Primary Certification Authority - G4 Client Authentication; Secure Email Symantec Class 1 Public Primary Certification Authority - G6 Client Authentication; Secure Email Symantec Class 2 Public Primary Certification Authority - G4 Client Authentication; Secure Email Symantec Class 2 Public Primary Certification Authority - G6 Client Authentication; Secure Email Symantec Class 3 Public Primary Certification Authority - G4 Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping Symantec Class 3 Public Primary Certification Authority - G6 Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping thawte Primary Root CA Server Authentication; Client Authentication; Secure Email; Code Signing thawte Primary Root CA - G2 Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping thawte Primary Root CA - G3 Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping VeriSign Class 1 Public Primary Certification Authority - G3 Client Authentication; Secure Email VeriSign Class 2 Public Primary Certification Authority - G3 Client Authentication; Code Signing; Secure Email VeriSign Class 3 Public Primary Certification Authority - G3 Code Signing; Server Authentication; Client Authentication; Secure Email VeriSign Class 3 Public Primary Certification Authority - G4 Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping VeriSign Class 3 Public Primary Certification Authority - G5 Server Authentication; Client Authentication; Secure Email; Code Signing VeriSign Universal Root Certification Authority Server Authentication; Client Authentication; Secure Email; Code Signing; Time Stamping
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
