Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert wrote: > On 13.03.2018 15:59, Peter Bowen wrote: > >> > >> Which companies, other than Apple and Google, benefit from DigiCert > >> running the Manager Partner Infrastructure and from DigiCert being part > >> of the exclusion list? > > > > An unlimited set. Any company who purchases a certificate from > > DigiCert that is issued by one of the Managed Partner Infrastructure > > CAs benefits. > > Thank you very much for this helpful statement. > > I understand that previously, the trust of DigiCert Partner CAs was > enabled by signing from Symantec CAs. > > Because the keys of the managed partner CAs were never controlled by > Symantec, it is deemed acceptable to allow these to remain trusted. > > My conclusion is, the blog post is incomplete. > I see. As I didn't write the blog post, I certainly can't speak to the intent, but I don't agree with your conclusion. > > IIUC, the blog post should be updated to add DigiCert as another entity > controlling subordinate CAs on the exception list. > > It might be worth to mention in the article, why the exception for these > subordinate CAs is deemed acceptable. > The consensus plan is linked, and explains these steps. Considering the importance of ensuring such posts are widely accessible, adding more detail is regularly shown to be more harmful, rather than helpful, to the overall discussion and migration. For a blog post particularly aimed at helping site operators understand, these nuances about whitelisted CAs only serves to add further problems. As stated in the blog post, the Consensus Plan was adopted, and that, in addition to the Managed Partner Infrastructure (which is fully covered in the consensus plan), the independently-operated-and-audited Sub-CAs of Apple and Google are being excluded. All of this information is fully factually accurate. The confusion seems to be stemming from reading the blog post while ignoring the Consensus Plan (which is linked). I'm not trying to be negative, but I'm trying to highlight that the thing you think is missing is addressed (and is linked), and that likely represents an appropriate-level-of-detail for the likely intended audience. > IMHO, it is important to highlight that Apple and Google aren't the only > entities that own certificates that will remain valid under the Symantec > hierarchy. > That seems more likely to confuse users than to help. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
As I didn't write the blog post, I certainly can't speak to the intent The intent of the blog post was to let folks know about an error they may encounter when Firefox 60 goes into Beta. And to have a place to point folks to if they run into the error and ask about it. It was *not* our intent to imply any deviation from the consensus proposal. If clarification is needed, let's update the wiki page to add it: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Please let me and Wayne know what changes you think should be made to the wiki page to clarify the changes. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 11:50 AM, Ryan Sleevi wrote: > > > On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert wrote: > >> On 13.03.2018 15:59, Peter Bowen wrote: >> >> >> >> Which companies, other than Apple and Google, benefit from DigiCert >> >> running the Manager Partner Infrastructure and from DigiCert being part >> >> of the exclusion list? >> > >> > An unlimited set. Any company who purchases a certificate from >> > DigiCert that is issued by one of the Managed Partner Infrastructure >> > CAs benefits. >> >> Thank you very much for this helpful statement. >> >> I understand that previously, the trust of DigiCert Partner CAs was >> enabled by signing from Symantec CAs. >> >> Because the keys of the managed partner CAs were never controlled by >> Symantec, it is deemed acceptable to allow these to remain trusted. >> >> My conclusion is, the blog post is incomplete. >> > > I see. As I didn't write the blog post, I certainly can't speak to the > intent, but I don't agree with your conclusion. > If it helps with framing the discussion any, I think one possible misinterpretation may be reading "Distrust of Symantec" to be "Distrust of these specific keys". Rather, the Symantec Legacy PKI (as referenced in the consensus proposal) is the set of infrastructure, practices, policies, and systems that comprised the failed systems, and all certificates issued by and all information verified by that information. The Managed Partner Infrastructure is a new set of infrastructure, practices, policies, and systems, which issue new certificates and which verify information correctly. Distrust in the Legacy PKI is ongoing, and the whitelist is not an exception from that distrust - it's a reflection that these parties were not part of the Legacy PKI. DigiCert's Managed/Transition Roots are a new PKI, as part of the Managed Partner Infrastructure, which the transition policy explained would be trusted. Distrusting the keys used as the root of trust for that Legacy PKI is one technical solution. But, as a technical solution, it distrusts more than what the consensus proposal required or stated. Hence, whitelists - which are simply implementations of what the consensus protocol stated. There are other ways one could imagine accomplishing distrust in the Legacy PKI - blacklists of intermediates or leaves, for example - that have different technical tradeoffs and different risks (many of which, incidentally, were discussed last year). Perhaps that framing helps think about it - it's not necessarily the keys being distrusted, it's everything related to those keys. Distrusting the keys is simply a technically-sound means to accomplish that, but in doing so, it's also necessary to carve out that which was explicitly not part of the distrust proposal. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On 13.03.2018 15:59, Peter Bowen wrote: >> >> Which companies, other than Apple and Google, benefit from DigiCert >> running the Manager Partner Infrastructure and from DigiCert being part >> of the exclusion list? > > An unlimited set. Any company who purchases a certificate from > DigiCert that is issued by one of the Managed Partner Infrastructure > CAs benefits. Thank you very much for this helpful statement. I understand that previously, the trust of DigiCert Partner CAs was enabled by signing from Symantec CAs. Because the keys of the managed partner CAs were never controlled by Symantec, it is deemed acceptable to allow these to remain trusted. My conclusion is, the blog post is incomplete. IIUC, the blog post should be updated to add DigiCert as another entity controlling subordinate CAs on the exception list. It might be worth to mention in the article, why the exception for these subordinate CAs is deemed acceptable. IMHO, it is important to highlight that Apple and Google aren't the only entities that own certificates that will remain valid under the Symantec hierarchy. Thanks Kai ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 10:52 AM, Peter Bowen wrote: > On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy > wrote: > > On 13.03.2018 14:59, Ryan Sleevi wrote: > >> the blog post says, the subCAs controlled by Apple and Google are > the > >> ONLY exceptions. > >> > >> However, the Mozilla Firefox code also treats certain DigiCert > subCAs as > >> exceptions. > >> > >> Based on Ryan Sleevi's recent comments on this list, I had concluded > >> that the excluded DigiCert subCAs are used to support companies > other > >> than Apple and Google. Is my understanding right or wrong? > >> > >> > >> I think your understanding is incorrect. The DigiCert SubCAs are being > >> treated as part of the Managed Partner Infrastructure (aka the consensus > >> plan), and the (cross-signed DigiCert Roots) are excluded to avoid path > >> building issues in Firefox. > > > > Your earlier explanations were very complex, and had increased my > > uncertainty about who is covered by the Managed Partner Infrastructure. > > > > In your earlier explanations, you had mentioned additional company names > > besides Apple and Google. This had given me the impression that the > > Managed Partner Infrastructure isn't limited to support the Apple and > > Google companies, but to also support other companies. > > > > > >> That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan > >> referred to - what else could it be? > >> > >> > >> Are Apple and Google really the only beneficials of the exceptions, > or > >> should the blog post get updated to mention the additional > exceptions? > >> > >> > >> Do you think the above clarifies? > > > > I hope we are close. > > > > I really wish we could bring it down to a simple yes or no question, and > > you being able to respond with a clear yes or no. > > > > Let me try again. > > > > Are the DigiCert transition CAs, which are part of the exclusion list, > > and which you say are used for "Managed Partner Infrastructure", > > strictly limited to support the needs of the Apple and Google companies? > > I'll try answering and let Ryan correct me. > > Managed Partner Infrastructure CAs are NOT strictly limited to support > the needs of Apple/Google. > > As I understand it, there are five different sets of CAs when it comes > to applying trust rules: > > 1) CAs that are not cross-signed by any of the roots owned by Symantec > as of June 2017 ("Symantec roots"). This is the majority of CAs in > the world. > > 2) Online/Non-root CAs that are cross-signed by a Symantec root and > which had their own non-Symantec audit as of June 2017 and have > current audits - this is currently a set of CAs owned by Alphabet and > Apple companies > > 3) Root CAs that are cross-signed by a Symantec root and which had > their own non-Symantec audit as of June 2017 and have current audits - > this is currently a set of root CAs that are owned by DigiCert and > that existed prior to DigiCert acquiring the Symantec roots > > 4) CAs that are cross-signed by a Symantec root which were explicitly > created for compatibility with existing clients. These are not > cross-signed by any roots that are not Symantec roots. These were > created by DigiCert are not under their DigiCert branded CAs; they are > the "Managed Partner Infrastructure" CAs. > > 5) Any CAs not covered above (that is a CAs cross-signed by a Symantec > root but not in #2, #3, or #4). > > CAs in group #2, #3, and #4 are able to continue issuing. #4 have a > maximum validity period restriction that is less than the BR maximum. > #5 CAs are not trusted for certificates issued after > 2017-12-01T00:00:00Z or before 2016-06-01T00:00:00Z. > > Does this make it clear? > Ryan, did I get this wrong? > #4 is only limited in validity if Symantec was involved/validation information was reused. As stated by DigiCert, there's been zero involvement in the validation and zero-reuse of validated information, hence, issuance times are permitted to the maximum BR allowed. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 7:55 AM, Kai Engert via dev-security-policy wrote: > On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote: >> >>> Are the DigiCert transition CAs, which are part of the exclusion list, >>> and which you say are used for "Managed Partner Infrastructure", >>> strictly limited to support the needs of the Apple and Google companies? >> >> >> No. > > If the answer is "no", it means there are additional beneficials besides > Apple and Google. > > >> Apple is Apple. Google is Google. DigiCert is running the Managed Partner >> Infrastructure from the consensus plan, using the two transition CAs, in >> addition to the two pre-existing roots participating in Mozilla's root >> store. > > Which companies, other than Apple and Google, benefit from DigiCert > running the Manager Partner Infrastructure and from DigiCert being part > of the exclusion list? An unlimited set. Any company who purchases a certificate from DigiCert that is issued by one of the Managed Partner Infrastructure CAs benefits. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 10:55 AM, Kai Engert wrote: > On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote: > > > >> Are the DigiCert transition CAs, which are part of the exclusion list, > >> and which you say are used for "Managed Partner Infrastructure", > >> strictly limited to support the needs of the Apple and Google companies? > > > > > > No. > > If the answer is "no", it means there are additional beneficials besides > Apple and Google. > > > > Apple is Apple. Google is Google. DigiCert is running the Managed Partner > > Infrastructure from the consensus plan, using the two transition CAs, in > > addition to the two pre-existing roots participating in Mozilla's root > > store. > > Which companies, other than Apple and Google, benefit from DigiCert > running the Manager Partner Infrastructure and from DigiCert being part > of the exclusion list? > Kai, Please see if Peter's answer helps. I will be happy to answer follow-up questions if you are still confused, but I do want to stress, the Managed Partner Infrastructure consensus plan, discussed for months, addresses both the reasoning and the risk. Apple and Google *do not* benefit from the Managed Partner Infrastructure. They could, but at present, they do not. Hopefully, Peter's decomposition addresses the confusion. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote: > >> Are the DigiCert transition CAs, which are part of the exclusion list, >> and which you say are used for "Managed Partner Infrastructure", >> strictly limited to support the needs of the Apple and Google companies? > > > No. If the answer is "no", it means there are additional beneficials besides Apple and Google. > Apple is Apple. Google is Google. DigiCert is running the Managed Partner > Infrastructure from the consensus plan, using the two transition CAs, in > addition to the two pre-existing roots participating in Mozilla's root > store. Which companies, other than Apple and Google, benefit from DigiCert running the Manager Partner Infrastructure and from DigiCert being part of the exclusion list? Thanks Kai ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy wrote: > On 13.03.2018 14:59, Ryan Sleevi wrote: >> the blog post says, the subCAs controlled by Apple and Google are the >> ONLY exceptions. >> >> However, the Mozilla Firefox code also treats certain DigiCert subCAs as >> exceptions. >> >> Based on Ryan Sleevi's recent comments on this list, I had concluded >> that the excluded DigiCert subCAs are used to support companies other >> than Apple and Google. Is my understanding right or wrong? >> >> >> I think your understanding is incorrect. The DigiCert SubCAs are being >> treated as part of the Managed Partner Infrastructure (aka the consensus >> plan), and the (cross-signed DigiCert Roots) are excluded to avoid path >> building issues in Firefox. > > Your earlier explanations were very complex, and had increased my > uncertainty about who is covered by the Managed Partner Infrastructure. > > In your earlier explanations, you had mentioned additional company names > besides Apple and Google. This had given me the impression that the > Managed Partner Infrastructure isn't limited to support the Apple and > Google companies, but to also support other companies. > > >> That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan >> referred to - what else could it be? >> >> >> Are Apple and Google really the only beneficials of the exceptions, or >> should the blog post get updated to mention the additional exceptions? >> >> >> Do you think the above clarifies? > > I hope we are close. > > I really wish we could bring it down to a simple yes or no question, and > you being able to respond with a clear yes or no. > > Let me try again. > > Are the DigiCert transition CAs, which are part of the exclusion list, > and which you say are used for "Managed Partner Infrastructure", > strictly limited to support the needs of the Apple and Google companies? I'll try answering and let Ryan correct me. Managed Partner Infrastructure CAs are NOT strictly limited to support the needs of Apple/Google. As I understand it, there are five different sets of CAs when it comes to applying trust rules: 1) CAs that are not cross-signed by any of the roots owned by Symantec as of June 2017 ("Symantec roots"). This is the majority of CAs in the world. 2) Online/Non-root CAs that are cross-signed by a Symantec root and which had their own non-Symantec audit as of June 2017 and have current audits - this is currently a set of CAs owned by Alphabet and Apple companies 3) Root CAs that are cross-signed by a Symantec root and which had their own non-Symantec audit as of June 2017 and have current audits - this is currently a set of root CAs that are owned by DigiCert and that existed prior to DigiCert acquiring the Symantec roots 4) CAs that are cross-signed by a Symantec root which were explicitly created for compatibility with existing clients. These are not cross-signed by any roots that are not Symantec roots. These were created by DigiCert are not under their DigiCert branded CAs; they are the "Managed Partner Infrastructure" CAs. 5) Any CAs not covered above (that is a CAs cross-signed by a Symantec root but not in #2, #3, or #4). CAs in group #2, #3, and #4 are able to continue issuing. #4 have a maximum validity period restriction that is less than the BR maximum. #5 CAs are not trusted for certificates issued after 2017-12-01T00:00:00Z or before 2016-06-01T00:00:00Z. Does this make it clear? Ryan, did I get this wrong? Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 10:19 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 13.03.2018 14:59, Ryan Sleevi wrote: > > the blog post says, the subCAs controlled by Apple and Google are the > > ONLY exceptions. > > > > However, the Mozilla Firefox code also treats certain DigiCert > subCAs as > > exceptions. > > > > Based on Ryan Sleevi's recent comments on this list, I had concluded > > that the excluded DigiCert subCAs are used to support companies other > > than Apple and Google. Is my understanding right or wrong? > > > > > > I think your understanding is incorrect. The DigiCert SubCAs are being > > treated as part of the Managed Partner Infrastructure (aka the consensus > > plan), and the (cross-signed DigiCert Roots) are excluded to avoid path > > building issues in Firefox. > > Your earlier explanations were very complex, and had increased my > uncertainty about who is covered by the Managed Partner Infrastructure. > > In your earlier explanations, you had mentioned additional company names > besides Apple and Google. This had given me the impression that the > Managed Partner Infrastructure isn't limited to support the Apple and > Google companies, but to also support other companies. > OK, I think the confusion is what Managed Partner Infrastructure is. There is Apple. There is Google. There is the Managed Partner Infrastructure. These are three, separate things from the point-of-view of the Consensus plan. That consensus document, unchanged since the announcement, is https://docs.google.com/document/d/1Yd079EsKQ-QawTvWgjIfrCV6d0NNlwoS1ftB0MaJkBc/edit > Are the DigiCert transition CAs, which are part of the exclusion list, > and which you say are used for "Managed Partner Infrastructure", > strictly limited to support the needs of the Apple and Google companies? No. Apple is Apple. Google is Google. DigiCert is running the Managed Partner Infrastructure from the consensus plan, using the two transition CAs, in addition to the two pre-existing roots participating in Mozilla's root store. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On 13.03.2018 14:59, Ryan Sleevi wrote: > the blog post says, the subCAs controlled by Apple and Google are the > ONLY exceptions. > > However, the Mozilla Firefox code also treats certain DigiCert subCAs as > exceptions. > > Based on Ryan Sleevi's recent comments on this list, I had concluded > that the excluded DigiCert subCAs are used to support companies other > than Apple and Google. Is my understanding right or wrong? > > > I think your understanding is incorrect. The DigiCert SubCAs are being > treated as part of the Managed Partner Infrastructure (aka the consensus > plan), and the (cross-signed DigiCert Roots) are excluded to avoid path > building issues in Firefox. Your earlier explanations were very complex, and had increased my uncertainty about who is covered by the Managed Partner Infrastructure. In your earlier explanations, you had mentioned additional company names besides Apple and Google. This had given me the impression that the Managed Partner Infrastructure isn't limited to support the Apple and Google companies, but to also support other companies. > That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan > referred to - what else could it be? > > > Are Apple and Google really the only beneficials of the exceptions, or > should the blog post get updated to mention the additional exceptions? > > > Do you think the above clarifies? I hope we are close. I really wish we could bring it down to a simple yes or no question, and you being able to respond with a clear yes or no. Let me try again. Are the DigiCert transition CAs, which are part of the exclusion list, and which you say are used for "Managed Partner Infrastructure", strictly limited to support the needs of the Apple and Google companies? Thanks Kai ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On Tue, Mar 13, 2018 at 8:36 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote: > > Wayne and I have posted a Mozilla Security Blog regarding the current > > plan for distrusting the Symantec TLS certs. > > > > https://blog.mozilla.org/security/2018/03/12/distrust- > symantec-tls-certificates/ > > Hello Kathleen and Wayne, > > the blog post says, the subCAs controlled by Apple and Google are the > ONLY exceptions. > > However, the Mozilla Firefox code also treats certain DigiCert subCAs as > exceptions. > > Based on Ryan Sleevi's recent comments on this list, I had concluded > that the excluded DigiCert subCAs are used to support companies other > than Apple and Google. Is my understanding right or wrong? > I think your understanding is incorrect. The DigiCert SubCAs are being treated as part of the Managed Partner Infrastructure (aka the consensus plan), and the (cross-signed DigiCert Roots) are excluded to avoid path building issues in Firefox. That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan referred to - what else could it be? > Are Apple and Google really the only beneficials of the exceptions, or > should the blog post get updated to mention the additional exceptions? > Do you think the above clarifies? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote: > Wayne and I have posted a Mozilla Security Blog regarding the current > plan for distrusting the Symantec TLS certs. > > https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ Hello Kathleen and Wayne, could you please clarify the plan for Firefox ESR (Enterprise Support Version) ? Firefox 63 and Firefox ESR 60.3 will be released on the same date. Does Mozilla plan to implement the identical distrust in both Firefox 63 and Firefox ESR 60.3 ? Thanks Kai ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
Same question. Does this mean the key used to sign the digicert roots is subject to the distrust without exception? > On Mar 13, 2018, at 1:36 PM, Kai Engert via dev-security-policy > wrote: > >> On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote: >> Wayne and I have posted a Mozilla Security Blog regarding the current >> plan for distrusting the Symantec TLS certs. >> >> https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ > > Hello Kathleen and Wayne, > > the blog post says, the subCAs controlled by Apple and Google are the > ONLY exceptions. > > However, the Mozilla Firefox code also treats certain DigiCert subCAs as > exceptions. > > Based on Ryan Sleevi's recent comments on this list, I had concluded > that the excluded DigiCert subCAs are used to support companies other > than Apple and Google. Is my understanding right or wrong? > > Are Apple and Google really the only beneficials of the exceptions, or > should the blog post get updated to mention the additional exceptions? > > Thanks > Kai > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Security Blog re Symantec TLS Certs
On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote: > Wayne and I have posted a Mozilla Security Blog regarding the current > plan for distrusting the Symantec TLS certs. > > https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ Hello Kathleen and Wayne, the blog post says, the subCAs controlled by Apple and Google are the ONLY exceptions. However, the Mozilla Firefox code also treats certain DigiCert subCAs as exceptions. Based on Ryan Sleevi's recent comments on this list, I had concluded that the excluded DigiCert subCAs are used to support companies other than Apple and Google. Is my understanding right or wrong? Are Apple and Google really the only beneficials of the exceptions, or should the blog post get updated to mention the additional exceptions? Thanks Kai ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Mozilla Security Blog re Symantec TLS Certs
All, Wayne and I have posted a Mozilla Security Blog regarding the current plan for distrusting the Symantec TLS certs. https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy