Can we request removal of these roots now? This seems very similar to the SHA1 situation where CAs requested root removal and then treated the root as private, regardless of the trust in older platforms.
-----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Wayne Thayer via dev-security-policy Sent: Thursday, December 13, 2018 3:11 PM To: mozilla-dev-security-policy <[email protected]> Subject: Re: Underscore characters and DigiCert There are currently no program requirements for roots that have had their websites trust bit turned off or been removed from NSS, but this is an open area of concern [1]. When a root is disabled or removed, there is no protection for Firefox users who haven't updated to a current version, nor for any of the other consumers of our root store until they update. However, that doesn't apply here. These roots are still in the Mozilla root store and trusted for TLS, and some of them will be for quite a while due to the whitelisted Apple & Google intermediates [2]. It is clear that Mozilla policy, and in-turn the BRs, still apply to these roots. Should DigiCert decide not to revoke certificates containing underscores by the 15-Jan deadline in SC12, including those chaining to distrusted Symantec roots, I plan to treat it as an incident. As with any incident, full disclosure is the expectation. - Wayne [1] https://github.com/mozilla/pkipolicy/issues/124 [2] https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec On Wed, Dec 12, 2018 at 5:54 PM Jeremy Rowley via dev-security-policy < [email protected]> wrote: > Hey all, > > We're working towards revoking certs with underscore characters in the > domain name, per SC12, but I had a question about legacy Symantec > systems and Mozilla. These particular roots are no longer trusted for > TLS certs in Google or Mozilla, which means the applicability of the > BRs is dubious. The roots are shortly being removed from Microsoft and > Apple, although that's more of an FYI rather than something with > direct bearing on the Mozilla community. If the roots are no longer > trusted for TLS in Mozilla, is there any requirement to revoke the certs issued under those roots? > > > > My initial thought is no as this is similar to what Comodo did with > their request to remove a SHA1 root (and what DigiCert did with one of > the Verizon roots). Note these are still flagged by zlint because they > are trusted in older systems. Because the situation is slightly > different with the way distrust was technically implemented, I wanted > to see if there were any concerns with the community about treating > these as private going forward, similar to the SHA1 roots. Thoughts? > > > > Jeremy > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
