There are currently no program requirements for roots that have had their websites trust bit turned off or been removed from NSS, but this is an open area of concern [1]. When a root is disabled or removed, there is no protection for Firefox users who haven't updated to a current version, nor for any of the other consumers of our root store until they update.
However, that doesn't apply here. These roots are still in the Mozilla root store and trusted for TLS, and some of them will be for quite a while due to the whitelisted Apple & Google intermediates [2]. It is clear that Mozilla policy, and in-turn the BRs, still apply to these roots. Should DigiCert decide not to revoke certificates containing underscores by the 15-Jan deadline in SC12, including those chaining to distrusted Symantec roots, I plan to treat it as an incident. As with any incident, full disclosure is the expectation. - Wayne [1] https://github.com/mozilla/pkipolicy/issues/124 [2] https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec On Wed, Dec 12, 2018 at 5:54 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hey all, > > We're working towards revoking certs with underscore characters in the > domain name, per SC12, but I had a question about legacy Symantec systems > and Mozilla. These particular roots are no longer trusted for TLS certs in > Google or Mozilla, which means the applicability of the BRs is dubious. The > roots are shortly being removed from Microsoft and Apple, although that's > more of an FYI rather than something with direct bearing on the Mozilla > community. If the roots are no longer trusted for TLS in Mozilla, is there > any requirement to revoke the certs issued under those roots? > > > > My initial thought is no as this is similar to what Comodo did with their > request to remove a SHA1 root (and what DigiCert did with one of the > Verizon > roots). Note these are still flagged by zlint because they are trusted in > older systems. Because the situation is slightly different with the way > distrust was technically implemented, I wanted to see if there were any > concerns with the community about treating these as private going forward, > similar to the SHA1 roots. Thoughts? > > > > Jeremy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
