Re: Deadline for whitelisting of the Apple/Google subCAs issued by Symantec?
On Thursday, March 1, 2018 at 7:15:52 AM UTC-8, Kai Engert wrote: > Are the owners of the Apple and Google subCAs able to announce a date, > after which they will no longer require their Symantec-issued subCAs to > be whitelisted? Kai, We are actively migrating to the Google Trust Services operated root certificates and while we would love to provide a concrete date the nature of these sorts of deployments makes that hard to provide. What I can say is that our plan is to be migrated off by the time the Equifax root expires August 22nd 2018. Ryan Hurst Google ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Deadline for whitelisting of the Apple/Google subCAs issued by Symantec?
This is precisely what was discussed as part of the Managed Partner Infrastructure transition, which was anticipated to potentially take several years due to a wide variety of complexities. This model was designed to allow for the replacement of the existing Symantec Roots with the Transition Certificates (which would have stabilized then, but not necessarily right now, as folks only now begin to transition), and a separable discussion regarding whether or not the Apple/Google intermediates will have fully expired (as is possible) or whether they would need to be 'administratively managed' - effectively, treated as roots (in which Mozilla or other root programs oversaw the audit reports), rather than delegating the audit report oversight to Symantec. I can't speak for Google or Apple's transition plans, but the design of the plan, as discussed on the list, was precisely to allow for a minimally disruptive transition, in a solution that would technically work with a wide variety of root programs, including all browsers root programs' technical constraints. This wasn't accidental, it was intentional. On Thu, Mar 1, 2018 at 10:17 AM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Is it practical to remove the Symantec root certificates and (temporarily) > add the Google and Apple intermediates to the trust store? This should > facilitate removing trust in Symantec without disruption. > > Alex > > On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > In my opinion, Mozilla's and Google's plans to distrust the Thawte, > > RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser, > > should be interpreted as a recommendation to eventually distrust them > > for all server authentication uses. > > > > If a CA gets distrusted for https, then I think it's fair to equally > > consider it as no longer acceptable for other services like IMAPS or > LDAPS. > > > > As Ryan said in another thread, migration of non-https services might > > take a longer time to migrate. However, based on Jeremy's statement in > > https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3 > > I'd assume that the customer certificate migration efforts driven by > > DigiCert should also cover migration of non-https services within a > > reasonable amount of time, where general purpose client software is used > > to connect to non-https services. > > > > (I'm excluding special purpose hardware with embedded restrictions, and > > also excluding manually configured server to server configurations.) > > > > I conclude that for general purpose client software, that doesn't > > implement key pinning and doesn't have restrictions on chain length, but > > which wants to retain the ability to connect to services offered by > > Apple or Google, the whitelisting for Apple/Google subCAs is the only > > hindrance for eventual full distrust of the Symantec Root CAs. > > > > Are the owners of the Apple and Google subCAs able to announce a date, > > after which they will no longer require their Symantec-issued subCAs to > > be whitelisted? > > > > Thanks > > Kai > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Deadline for whitelisting of the Apple/Google subCAs issued by Symantec?
On Thu, Mar 1, 2018 at 8:17 AM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Is it practical to remove the Symantec root certificates and (temporarily) > add the Google and Apple intermediates to the trust store? This should > facilitate removing trust in Symantec without disruption. > > Before we can completely remove the Symantec roots, we need to address email protection (S/MIME) certs. An interim step would be to turn off the websites trust bit. The decision to whitelist specific keys rather than add the intermediates to the trust store was intentional - it allows DigiCert to sign additional whitelisted intermediates during the transition period. > Alex > > On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Are the owners of the Apple and Google subCAs able to announce a date, > > after which they will no longer require their Symantec-issued subCAs to > > be whitelisted? > > > I would also like an answer to this question. Since DigiCert also holds whitelisted keys, I think we need to hear from them as well. > Thanks > > Kai > > - Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Deadline for whitelisting of the Apple/Google subCAs issued by Symantec?
Is it practical to remove the Symantec root certificates and (temporarily) add the Google and Apple intermediates to the trust store? This should facilitate removing trust in Symantec without disruption. Alex On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In my opinion, Mozilla's and Google's plans to distrust the Thawte, > RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser, > should be interpreted as a recommendation to eventually distrust them > for all server authentication uses. > > If a CA gets distrusted for https, then I think it's fair to equally > consider it as no longer acceptable for other services like IMAPS or LDAPS. > > As Ryan said in another thread, migration of non-https services might > take a longer time to migrate. However, based on Jeremy's statement in > https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3 > I'd assume that the customer certificate migration efforts driven by > DigiCert should also cover migration of non-https services within a > reasonable amount of time, where general purpose client software is used > to connect to non-https services. > > (I'm excluding special purpose hardware with embedded restrictions, and > also excluding manually configured server to server configurations.) > > I conclude that for general purpose client software, that doesn't > implement key pinning and doesn't have restrictions on chain length, but > which wants to retain the ability to connect to services offered by > Apple or Google, the whitelisting for Apple/Google subCAs is the only > hindrance for eventual full distrust of the Symantec Root CAs. > > Are the owners of the Apple and Google subCAs able to announce a date, > after which they will no longer require their Symantec-issued subCAs to > be whitelisted? > > Thanks > Kai > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Deadline for whitelisting of the Apple/Google subCAs issued by Symantec?
In my opinion, Mozilla's and Google's plans to distrust the Thawte, RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser, should be interpreted as a recommendation to eventually distrust them for all server authentication uses. If a CA gets distrusted for https, then I think it's fair to equally consider it as no longer acceptable for other services like IMAPS or LDAPS. As Ryan said in another thread, migration of non-https services might take a longer time to migrate. However, based on Jeremy's statement in https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3 I'd assume that the customer certificate migration efforts driven by DigiCert should also cover migration of non-https services within a reasonable amount of time, where general purpose client software is used to connect to non-https services. (I'm excluding special purpose hardware with embedded restrictions, and also excluding manually configured server to server configurations.) I conclude that for general purpose client software, that doesn't implement key pinning and doesn't have restrictions on chain length, but which wants to retain the ability to connect to services offered by Apple or Google, the whitelisting for Apple/Google subCAs is the only hindrance for eventual full distrust of the Symantec Root CAs. Are the owners of the Apple and Google subCAs able to announce a date, after which they will no longer require their Symantec-issued subCAs to be whitelisted? Thanks Kai ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy