On Tue, Oct 18, 2016 at 4:10 PM, Dean Coclin via Public <email@example.com
> Given that the current TBS certs have passed cryptanalysis, could you allow
> the issuance of the TBS certs as presented, and mandate that the CA revoke
> certs on 12/31 (or the next business day). This is an auditable event and
> browsers can push that revocation out to their clients via their own
> I believe this meets the intent of the affected browsers by protecting
> users after that date. It also avoids disruption to First Data clients on
> October 27th.
Symantec has suggested this several times, for other incidents, as have
other members of the CA/Browser Forum.
Our position is that revocation, while it can be useful in reducing risk to
(some of) our immediate user populations, does not represent a sufficient
or suitable solution for protecting the broader ecosystem or reducing the
moral hazards of various proposals.
My understanding is that these certificates begin expiring October 27, and
the current urgency was and is created by Symantec hoping to use the
precedent of the previous failure to follow policy as an indicator that the
policy has been changed. While unfortunate, I agree with Gerv's remarks on
the moral hazard of this line of reasoning and this line of utility, and
while I appreciate Symantec's exceptional efforts to work on an alternative
solution for their customer, I think it's best to follow the policy as
outlined some time ago. We discussed and gathered feedback on this
precisely to avoid the situation we're in now - we wanted to have an
objective, rather subjective, process, which you're now asking that we
undermine because Symantec made an assumption, based on Symantec's previous
mistake which was not caught (amidst all the other issues Symantec had with
the previous request).
Public mailing list