Re: Symantec Update on SubCA Proposal

2017-08-12 Thread wizard--- via dev-security-policy
Steve, Thank you for responding relatively promptly (at least as compared to previous Symantec responses) to Devon's questions. However, these responses seem to imply that a side effect of the sale *is* to skirt the remediation requirements imposed by Google and Mozilla. In particular, the

Re: Final Decision by Google on Symantec

2017-07-28 Thread wizard--- via dev-security-policy
With respect to the date of distrust of symantec certificates issues before June 1, 2016, I believe Mozilla has a third option: Remove indicators of trust (green lock, etc.) on December 1, 2017 for Symantec certificates issued prior to June 1, 2016 (but do not produce interstitials and do not

Re: Symantec response to Google proposal

2017-06-08 Thread wizard--- via dev-security-policy
On Tuesday, June 6, 2017 at 10:03:29 AM UTC-4, Gervase Markham wrote: > On 02/06/17 15:53, Gervase Markham wrote: > > > > I'm slightly surprised to see no engagement here. I think many of us are worn out with the

Re: New undisclosed intermediates

2017-06-08 Thread wizard--- via dev-security-policy
But Censys lists it as a trusted intermediate chaining to a root ( ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa ) in NSS: With respect to Gerv's question: given the

Re: Symantec: Update

2017-05-11 Thread wizard--- via dev-security-policy
Symantec, in previous blog posts on their site, has indicated that they will support their customers [1]. That said, it is fair point that the plan should spell out what happens if symantec does not cooperate. It seems appropriate to have the plan do what it says -- scheduled phase out of the

Re: Draft further questions for Symantec

2017-05-08 Thread wizard--- via dev-security-policy
In addition to requesting disclosure of intermediates that have been (even if not currently are) able to issue server certs, and the catchall, both of which seem excellent, I encourage Mozilla to consider asking these questions as part of an implemented remedy plan. That is, put in motion

Re: Symantec: Draft Proposal

2017-05-08 Thread wizard--- via dev-security-policy
It makes perfect sense if the game plan is to force continued delays of decisions on the part of root programs! Which appears to be exactly what is happening. After all, wait long enough, and it can be claimed that all possibly bad things would be expired, so don't distrust us, m'ok. I think

Re: [EXT] Re: Symantec: Draft Proposal

2017-05-05 Thread wizard--- via dev-security-policy
> >] On Behalf Of > > wizard--- via dev-security-policy > > Sent: Tuesday, May 02, 2017 7:10 AM > > To: > > Subject: [EXT] Re: Symantec: Draft Proposal > > > > > >

Re: Symantec: Draft Proposal

2017-05-02 Thread wizard--- via dev-security-policy
This seems like a very reasonable stance for Mozilla to take: strongly encourage a new Symantec PKI so they start with a clean slate, otherwise staged distrust of all existing certificates with the requirement that Symantec produce a full document/diagram of how the components of their PKI are

Re: Symantec Conclusions and Next Steps

2017-04-27 Thread wizard--- via dev-security-policy
I don't know about others, but I am quite disappointed by Symantec's proposed remediation plan. Intentional or not, these response seems to indicate they don't really understand the potential consequences of many of their past actions. Essentially, they promise to: 1) Have a third party audit