On 28/07/17 07:14, Gervase Markham wrote:
> I would like to make a decision on this matter on or before July 31st,
After listening to the opinions here on m.d.s.p., and consultation
within Mozilla and with our engineering teams, on the matter of when to
distrust various bits of the existing Symant
On 31/07/17 15:17, Jakob Bohm wrote:
> I am referring to the fact that EV-trust is currently assigned to roots,
> not to SubCAs, at least as far as visible root store descriptions go.
You said the problem was Mozilla-specific; do other root stores not do
it this way?
Gerv
WRT to the deadlines: If the decision is to sync up, I think it's worth noting
that Firefox probably needs to release 2-3 weeks after a Chrome "release date"
to achieve this in practice.
Why? Firefox updates take ~10days from release date to reach previous version
numbers. Chrome _can_ do it in
Given that we're past the 7/31 deadline and the comments in support of
following Chrome's lead, it sounds likely that that's what's happening. And
I think that's an understandable conclusion for Mozilla to draw, given the
compatibility risk Mozilla would be leading on for at least several months.
On Mon, Jul 31, 2017 at 7:17 AM, Jakob Bohm via dev-security-policy
wrote:
> On 31/07/2017 16:06, Gervase Markham wrote:
>>
>> On 31/07/17 15:00, Jakob Bohm wrote:
>>>
>>> - Due to current Mozilla implementation bugs,
>>
>>
>> Reference, please?
>>
>
> I am referring to the fact that EV-trust is c
On 31/07/2017 16:06, Gervase Markham wrote:
On 31/07/17 15:00, Jakob Bohm wrote:
It was previously stated in this newsgroup that non-SSLServer trust
would not be terminated, at least for now.
It was? Reference, please?
That was my general impression, I don't have a good way to search the
li
On 31/07/17 15:00, Jakob Bohm wrote:
> It was previously stated in this newsgroup that non-SSLServer trust
> would not be terminated, at least for now.
It was? Reference, please?
> - Due to current Mozilla implementation bugs,
Reference, please?
Gerv
On 29/07/17 23:45, Peter Bowen wrote:
> First, when the server authentication trust will bits be removed from
> the existing roots. This is of notable importance for non-Firefox
> users of NSS. Based on the Chrome email, it looks like they will
> remove trust bits in their git repo around August
On 30/07/2017 00:45, Peter Bowen wrote:
On Thu, Jul 27, 2017 at 11:14 PM, Gervase Markham via
dev-security-policy wrote:
Google have made a final decision on the various dates they plan to
implement as part of the consensus plan in the Symantec matter. The
message from blink-dev is included bel
On 29/07/17 09:29, Nick Lamb wrote:
> So I will expend my effort instead on pressing for Mozilla to handle
> final distrust of the old Symantec CA roots in its usual fashion and
> explicitly _not_ do as Symantec asked in leaving it enabled in the
> NSS trust set we know is relied upon (whether wise
On 28/07/2017 18:36, David E. Ross wrote:
On 7/28/2017 6:34 AM, Alex Gaynor wrote:
Frankly I was surprised to see Chromium reverse course on this -- they have
a history of aggressive leadership in their handling of CA failures, it's a
little disappointing to see them abandon that.
I'd strongly
On Thu, Jul 27, 2017 at 11:14 PM, Gervase Markham via
dev-security-policy wrote:
> Google have made a final decision on the various dates they plan to
> implement as part of the consensus plan in the Symantec matter. The
> message from blink-dev is included below.
>
[...]
>
> We now have two choic
Other contributors have, I think, summed up the pros and cons of the two ways
forward on the specific date very effectively.
So I will expend my effort instead on pressing for Mozilla to handle final
distrust of the old Symantec CA roots in its usual fashion and explicitly _not_
do as Symantec
I share the desire to move faster than these dates, but upon
consideration, I don't think it's much of a boon to web security for
Mozilla to be substantially ahead of Chrome in implementing these trust
changes.
Since Chrome's decision to implement in April is final, their large user
population is
> On Jul 28, 2017, at 09:34, Alex Gaynor via dev-security-policy
> wrote:
>
> Frankly I was surprised to see Chromium reverse course on this -- they have
> a history of aggressive leadership in their handling of CA failures, it's a
> little disappointing to see them abandon that.
>
> I'd stron
On Friday, 28 July 2017 08:15:43 UTC+2, Gervase Markham wrote:
> Google have made a final decision on the various dates they plan to
> implement as part of the consensus plan in the Symantec matter. The
> message from blink-dev is included below.
>
> Most of the dates have consensus - the dates f
On 7/28/2017 6:34 AM, Alex Gaynor wrote:
> Frankly I was surprised to see Chromium reverse course on this -- they have
> a history of aggressive leadership in their handling of CA failures, it's a
> little disappointing to see them abandon that.
>
> I'd strongly advocate for us perusing an earlier
Hi Gerv,
Thank you for reaching out to the mdsp community.
There are valid security reasons to consider a dis-trust date earlier than
April 2018 for the corpus of Symantec certs issued prior to June 1st, 2016.
However, I also believe there are security and operational risks in
complicating the n
Frankly I was surprised to see Chromium reverse course on this -- they have
a history of aggressive leadership in their handling of CA failures, it's a
little disappointing to see them abandon that.
I'd strongly advocate for us perusing an earlier date -- December 1st at
the latest. Reasons:
1) C
As it stands, aligning with Chrome, plus/minus 14 days would be the best
approach.
It is of cause regrettable that Symantec managed to delay the decision
process until a time when key Mozilla personnel (most notable Gerv)
where unavailable, thus allowing Chrome to make the decisions while
Mozilla
With respect to the date of distrust of symantec certificates issues before
June 1, 2016, I believe Mozilla has a third option:
Remove indicators of trust (green lock, etc.) on December 1, 2017 for Symantec
certificates issued prior to June 1, 2016 (but do not produce interstitials and
do not a
Google have made a final decision on the various dates they plan to
implement as part of the consensus plan in the Symantec matter. The
message from blink-dev is included below.
Most of the dates have consensus - the dates for Symantec to implement
the Managed CA infrastructure are agreed by all,
22 matches
Mail list logo