Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-24 Thread Gervase Markham via dev-security-policy 
On 23/03/17 19:54, Jakob Bohm wrote:
> The above message (and one by Symantec) were posted to the
> mozilla.dev.security.policy newsgroup prior to becoming aware of
> Google's decision to move the discussion to its own private mailing
> list and procedures.  I would encourage everyone concerned to keep the
> public Mozilla newsgroup copied on all messages in this discussion,
> which seems to have extremely wide repercussions.

Actually, could I encourage everyone _not_ to do that? Ryan has
requested this discussion happen on the blink-dev list. Not everyone who
is a member here is a member there, or vice versa, and attempting to
have the discussion across both lists is likely to lead to significant
fragmentation and confusion.

Thanks,

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread Peter Bowen via dev-security-policy 
On Thu, Mar 23, 2017 at 12:54 PM, Jakob Bohm via dev-security-policy
 wrote:
>
> The above message (and one by Symantec) were posted to the
> mozilla.dev.security.policy newsgroup prior to becoming aware of
> Google's decision to move the discussion to its own private mailing
> list and procedures.  I would encourage everyone concerned to keep the
> public Mozilla newsgroup copied on all messages in this discussion,
> which seems to have extremely wide repercussions.

Jakob,

Maybe I missed it, but I don't think that Mozilla is involved in this
proposal.  The blink-dev mailing list has an open membership policy
and public anonymously accessible archives.  Obviously anyone can copy
m.d.s.p, as it doesn't have posting restrictions, but it seems
reasonable that Chrom(ium|e)-only discussions would be on a chromium
mailing list.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread Ryan Sleevi via dev-security-policy 
(Posting in an official capacity)

Jakob,

As the initial message said:
"You can participate in this discussion at
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs
"

I've removed the cross-post, to ensure that threads do not fork due to
members being subscribed to one list versus the other.

I know this is a new approach, and appreciate your understanding as we try
to work through the challenges.


On Thu, Mar 23, 2017 at 3:54 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 23/03/2017 20:27, Ryan Sleevi wrote:
>
>> On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>> On 23/03/2017 17:09, Ryan Sleevi wrote:
>>>
>>> (Posting in a Google Capacity)

 I just wanted to notify the members of this Forum that we have started
 an
 Intent to Deprecate and Remove, consistent with our Blink process,
 related
 to certain certificates issued by Symantec Corporation.

 This is a proposed plan, not a final commitment, and we welcome all
 feedback from members of this Forum to understand the risks and
 challenges.
 To understand the goals of this process, you can find more details at
 https://www.chromium.org/blink

 You can participate in this discussion at
 https://groups.google.com/a/ch
 romium.org/forum/#!topic/blink-dev/eUAKwjihhBs


 According to the linked document, Google is intending to distrust *all*
>>> Symantec issued certificates with a validity longer than 9 months,
>>> which is less that the 12 month validity normally being the minimum
>>> that site operators can purchase from CAs such as Symantec.
>>>
>>> It is also worth noting that this is apparently scheduled to occur less
>>> than 12 months from now (The document refers to Chrome/Blink version
>>> numbers with no associated dates, but contains a mention that one of
>>> the relevant releases would happen over the "winter holiday",
>>> presumably Christmas 2017).
>>>
>>> Since I know of no commercial (as opposed to free) CAs that routinely
>>> sell certificates with a duration of less than 12 months, this seems
>>> highly draconian and designed to drive Symantec out of the CA business.
>>>
>>> It also seems to ignore every mitigating factor discussed in this
>>> group, including those posted by Symantec themselves.
>>>
>>> For example the cited number of "30,000" affected certificates seems to
>>> come from the number of certificates that Symantec is actively double
>>> checking to ensure they were *not* misissued in a way similar to the
>>> original 127.
>>>
>>> It would seem that the only way to remain interoperable with both
>>> Chrome and the legacy devices and systems that trust only Symantec
>>> owned roots, would be if Chrome's TLS implementation somehow identified
>>> itself to servers as being a Chrome-based implementation before servers
>>> present their certificate.
>>>
>>> The computing world at large would be significantly inconvenienced if
>>> Symantec was forced to close down its CA business, in particular the
>>> parts of that business catering to other markets than general WebPki
>>> certificates.
>>>
>>
>>
>>
> The above message (and one by Symantec) were posted to the
> mozilla.dev.security.policy newsgroup prior to becoming aware of
> Google's decision to move the discussion to its own private mailing
> list and procedures.  I would encourage everyone concerned to keep the
> public Mozilla newsgroup copied on all messages in this discussion,
> which seems to have extremely wide repercussions.
>
>
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread Jakob Bohm via dev-security-policy 

On 23/03/2017 20:27, Ryan Sleevi wrote:

On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


On 23/03/2017 17:09, Ryan Sleevi wrote:


(Posting in a Google Capacity)

I just wanted to notify the members of this Forum that we have started an
Intent to Deprecate and Remove, consistent with our Blink process, related
to certain certificates issued by Symantec Corporation.

This is a proposed plan, not a final commitment, and we welcome all
feedback from members of this Forum to understand the risks and challenges.
To understand the goals of this process, you can find more details at
https://www.chromium.org/blink

You can participate in this discussion at https://groups.google.com/a/ch
romium.org/forum/#!topic/blink-dev/eUAKwjihhBs



According to the linked document, Google is intending to distrust *all*
Symantec issued certificates with a validity longer than 9 months,
which is less that the 12 month validity normally being the minimum
that site operators can purchase from CAs such as Symantec.

It is also worth noting that this is apparently scheduled to occur less
than 12 months from now (The document refers to Chrome/Blink version
numbers with no associated dates, but contains a mention that one of
the relevant releases would happen over the "winter holiday",
presumably Christmas 2017).

Since I know of no commercial (as opposed to free) CAs that routinely
sell certificates with a duration of less than 12 months, this seems
highly draconian and designed to drive Symantec out of the CA business.

It also seems to ignore every mitigating factor discussed in this
group, including those posted by Symantec themselves.

For example the cited number of "30,000" affected certificates seems to
come from the number of certificates that Symantec is actively double
checking to ensure they were *not* misissued in a way similar to the
original 127.

It would seem that the only way to remain interoperable with both
Chrome and the legacy devices and systems that trust only Symantec
owned roots, would be if Chrome's TLS implementation somehow identified
itself to servers as being a Chrome-based implementation before servers
present their certificate.

The computing world at large would be significantly inconvenienced if
Symantec was forced to close down its CA business, in particular the
parts of that business catering to other markets than general WebPki
certificates.





The above message (and one by Symantec) were posted to the
mozilla.dev.security.policy newsgroup prior to becoming aware of
Google's decision to move the discussion to its own private mailing
list and procedures.  I would encourage everyone concerned to keep the
public Mozilla newsgroup copied on all messages in this discussion,
which seems to have extremely wide repercussions.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread Ryan Sleevi via dev-security-policy 
On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 23/03/2017 17:09, Ryan Sleevi wrote:
>
>> (Posting in a Google Capacity)
>>
>> I just wanted to notify the members of this Forum that we have started an
>> Intent to Deprecate and Remove, consistent with our Blink process, related
>> to certain certificates issued by Symantec Corporation.
>>
>> This is a proposed plan, not a final commitment, and we welcome all
>> feedback from members of this Forum to understand the risks and challenges.
>> To understand the goals of this process, you can find more details at
>> https://www.chromium.org/blink
>>
>> You can participate in this discussion at https://groups.google.com/a/ch
>> romium.org/forum/#!topic/blink-dev/eUAKwjihhBs
>>
>>
> According to the linked document, Google is intending to distrust *all*
> Symantec issued certificates with a validity longer than 9 months,
> which is less that the 12 month validity normally being the minimum
> that site operators can purchase from CAs such as Symantec.
>
> It is also worth noting that this is apparently scheduled to occur less
> than 12 months from now (The document refers to Chrome/Blink version
> numbers with no associated dates, but contains a mention that one of
> the relevant releases would happen over the "winter holiday",
> presumably Christmas 2017).
>
> Since I know of no commercial (as opposed to free) CAs that routinely
> sell certificates with a duration of less than 12 months, this seems
> highly draconian and designed to drive Symantec out of the CA business.
>
> It also seems to ignore every mitigating factor discussed in this
> group, including those posted by Symantec themselves.
>
> For example the cited number of "30,000" affected certificates seems to
> come from the number of certificates that Symantec is actively double
> checking to ensure they were *not* misissued in a way similar to the
> original 127.
>
> It would seem that the only way to remain interoperable with both
> Chrome and the legacy devices and systems that trust only Symantec
> owned roots, would be if Chrome's TLS implementation somehow identified
> itself to servers as being a Chrome-based implementation before servers
> present their certificate.
>
> The computing world at large would be significantly inconvenienced if
> Symantec was forced to close down its CA business, in particular the
> parts of that business catering to other markets than general WebPki
> certificates.


(In Google Capacity)

By no means do I want to insist you must discuss on blink-...@chromium.org,
but I do want to highlight that the process follows our Blink Process for
assessing risk, and you're more than welcome and encouraged to share this
feedback there to ensure it's considered in relation to the proposed plan
for Chrome.

If you wish to only address this relative to the Mozilla community, please
feel free to do so here, and I in no means want to tell you where or how to
do so. I can only state that communication to blink-...@chromium.org is
what will inform Google Chrome's approach to this matter.

All the best,
Ryan
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread Jakob Bohm via dev-security-policy 

On 23/03/2017 17:09, Ryan Sleevi wrote:

(Posting in a Google Capacity)

I just wanted to notify the members of this Forum that we have started an 
Intent to Deprecate and Remove, consistent with our Blink process, related to 
certain certificates issued by Symantec Corporation.

This is a proposed plan, not a final commitment, and we welcome all feedback 
from members of this Forum to understand the risks and challenges. To 
understand the goals of this process, you can find more details at 
https://www.chromium.org/blink

You can participate in this discussion at 
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs



According to the linked document, Google is intending to distrust *all*
Symantec issued certificates with a validity longer than 9 months,
which is less that the 12 month validity normally being the minimum
that site operators can purchase from CAs such as Symantec.

It is also worth noting that this is apparently scheduled to occur less
than 12 months from now (The document refers to Chrome/Blink version
numbers with no associated dates, but contains a mention that one of
the relevant releases would happen over the "winter holiday",
presumably Christmas 2017).

Since I know of no commercial (as opposed to free) CAs that routinely
sell certificates with a duration of less than 12 months, this seems
highly draconian and designed to drive Symantec out of the CA business.

It also seems to ignore every mitigating factor discussed in this
group, including those posted by Symantec themselves.

For example the cited number of "30,000" affected certificates seems to
come from the number of certificates that Symantec is actively double
checking to ensure they were *not* misissued in a way similar to the
original 127.

It would seem that the only way to remain interoperable with both
Chrome and the legacy devices and systems that trust only Symantec
owned roots, would be if Chrome's TLS implementation somehow identified
itself to servers as being a Chrome-based implementation before servers
present their certificate.

The computing world at large would be significantly inconvenienced if
Symantec was forced to close down its CA business, in particular the
parts of that business catering to other markets than general WebPki
certificates.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread Ryan Sleevi via dev-security-policy 
On Thu, Mar 23, 2017 at 12:54 PM, tarah.symantec--- via dev-security-policy
 wrote:

> What will be the process for critical infrastructure such as medical
> devices and payment systems when they're affected by this?


To avoid fragmentation of discussion, would it be possible to reply to the
blink-dev@ list?

I totally realize the overhead for participants on either side - Mozilla
dev.security.policy members having to post to a different list vs blink-dev
members potentially needing to post to this list. We've opted for blink-dev@
in this case, and welcome feedback on how to improve this process in the
future.

Given the interest and role this community has played in these issues, we
wanted to inform and solicit feedback, but we're not quite to the point
where the primary discussion would happen on this list.

Thanks for understanding
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread tarah.symantec--- via dev-security-policy 
On Thursday, March 23, 2017 at 12:09:23 PM UTC-4, Ryan Sleevi wrote:
> (Posting in a Google Capacity)
> 
> I just wanted to notify the members of this Forum that we have started an 
> Intent to Deprecate and Remove, consistent with our Blink process, related to 
> certain certificates issued by Symantec Corporation.
> 
> This is a proposed plan, not a final commitment, and we welcome all feedback 
> from members of this Forum to understand the risks and challenges. To 
> understand the goals of this process, you can find more details at 
> https://www.chromium.org/blink
> 
> You can participate in this discussion at 
> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs

What will be the process for critical infrastructure such as medical devices 
and payment systems when they're affected by this? 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-23 Thread Ryan Sleevi via dev-security-policy 
(Posting in a Google Capacity)

I just wanted to notify the members of this Forum that we have started an 
Intent to Deprecate and Remove, consistent with our Blink process, related to 
certain certificates issued by Symantec Corporation.

This is a proposed plan, not a final commitment, and we welcome all feedback 
from members of this Forum to understand the risks and challenges. To 
understand the goals of this process, you can find more details at 
https://www.chromium.org/blink

You can participate in this discussion at 
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy