Thank you for responding relatively promptly (at least as compared to previous
Symantec responses) to Devon's questions.
However, these responses seem to imply that a side effect of the sale *is* to
skirt the remediation requirements imposed by Google and Mozilla.
In particular, the
With respect to the date of distrust of symantec certificates issues before
June 1, 2016, I believe Mozilla has a third option:
Remove indicators of trust (green lock, etc.) on December 1, 2017 for Symantec
certificates issued prior to June 1, 2016 (but do not produce interstitials and
On Tuesday, June 6, 2017 at 10:03:29 AM UTC-4, Gervase Markham wrote:
> On 02/06/17 15:53, Gervase Markham wrote:
> > https://www.symantec.com/connect/blogs/symantec-s-response-google-s-subca-proposal
> I'm slightly surprised to see no engagement here.
I think many of us are worn out with the
But Censys lists it as a trusted intermediate chaining to a root (
ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa ) in NSS:
With respect to Gerv's question: given the
Symantec, in previous blog posts on their site, has indicated that they will
support their customers .
That said, it is fair point that the plan should spell out what happens if
symantec does not cooperate. It seems appropriate to have the plan do what it
says -- scheduled phase out of the
In addition to requesting disclosure of intermediates that have been (even if
not currently are) able to issue server certs, and the catchall, both of which
seem excellent, I encourage Mozilla to consider asking these questions as part
of an implemented remedy plan.
That is, put in motion
It makes perfect sense if the game plan is to force continued delays of
decisions on the part of root programs! Which appears to be exactly what is
happening. After all, wait long enough, and it can be claimed that all possibly
bad things would be expired, so don't distrust us, m'ok.
> > email@example.com] On Behalf Of
> > wizard--- via dev-security-policy
> > Sent: Tuesday, May 02, 2017 7:10 AM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: [EXT] Re: Symantec: Draft Proposal
This seems like a very reasonable stance for Mozilla to take: strongly
encourage a new Symantec PKI so they start with a clean slate, otherwise staged
distrust of all existing certificates with the requirement that Symantec
produce a full document/diagram of how the components of their PKI are
I don't know about others, but I am quite disappointed by Symantec's proposed
remediation plan. Intentional or not, these response seems to indicate they
don't really understand the potential consequences of many of their past
actions. Essentially, they promise to:
1) Have a third party audit
Mail list logo