Here's my roundup of things I think we should require of Symantec.
* Mozilla would wish, after 2017-08-08, to alter Firefox such that it
trusts certificates issued in the "new PKI" directly by embedding a set
of certs or trust anchors which are part of that PKI, and can therefore
distrust any new
On 24/05/17 16:33, Peter Bowen wrote:
> Can you clarify the meaning of "new PKI"? I can see two reasonable
> interpretations:
> 2) The new PKI includes both new offline CAs that meet the
> requirements to be Root CAs and new subordinate CAs that issue
> end-entity certificates. the The new ro
On Mon, May 22, 2017 at 9:33 AM, Gervase Markham via
dev-security-policy wrote:
> On 19/05/17 21:04, Kathleen Wilson wrote:
>> - What validity periods should be allowed for SSL certs being issued
>> in the old PKI (until the new PKI is ready)?
>
> Symantec is required only to be issuing in the new
On Mon, May 22, 2017 at 12:33 PM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 19/05/17 21:04, Kathleen Wilson wrote:
> > - I'm not sold on the idea of requiring Symantec to use third-party
> > CAs to perform validation/issuance on Symantec's behalf.
On Sat, May 20, 2017 at 11:12 AM, Michael Casadevall via
dev-security-policy wrote:
> On 05/19/2017 05:43 PM, Kurt Roeckx wrote:
> >>From the mail about Chrome's plan, I understand that Chrome's plan
> > is to only allow certificates from the old PKI if they qualify for
> > their CT requirements.
On Monday, May 22, 2017 at 4:46:16 PM UTC, Gervase Markham wrote:
> On 21/05/17 19:37, userwithuid wrote:
> > With the new proposal, the "minimal disruption" solution for Firefox
> > will require keeping the legacy stuff around for another 3.5-4 years
> > and better solutions will now be a lot hard
On 22/05/2017 18:33, Gervase Markham wrote:
On 19/05/17 21:04, Kathleen Wilson wrote:
- What validity periods should be allowed for SSL certs being issued
in the old PKI (until the new PKI is ready)?
Symantec is required only to be issuing in the new PKI by 2017-08-08 -
in around ten weeks tim
Comments inline
On 20/05/2017 16:49, Michael Casadevall wrote:
Comments inline.
On 05/19/2017 05:10 PM, Jakob Bohm wrote:
Suggested trivial changes relative to the proposal for Mozilla use:
3. All non-expired Symantec issued certificates of any kind (including
SubCAs and revoked certificates)
On Mon, May 22, 2017 at 05:33:26PM +0100, Gervase Markham via
dev-security-policy wrote:
> Google are doing a phased distrust of old certs, but they have not set a
> date in their plan for total distrust of the old PKI. We should ask them
> what their plans are for that.
My understanding is that
On 21/05/17 19:37, userwithuid wrote:
> With the new proposal, the "minimal disruption" solution for Firefox
> will require keeping the legacy stuff around for another 3.5-4 years
> and better solutions will now be a lot harder to sell without the
> leverage provided by Google.
Why so? In eight mo
On 19/05/17 22:16, Rob Stradling wrote:> Are you saying that Symantec
would be a Delegated Third Party that can
> perform all of the validation and can trigger certificate issuance, but
> that it would actually be a third-party CA that handles the new Symantec
> PKI and issues certs (when triggered
On 19/05/17 22:10, Jakob Bohm wrote:
> Necessity: Whitelists in various forms based on such CT log entries,
> as well as the SCTs in OCSP responses can provide an alternative for
> relying parties checking current certificates even if the cleanup at
> Symantec reveals a catastrophic breach during
On 19/05/17 21:04, Kathleen Wilson wrote:
> - What validity periods should be allowed for SSL certs being issued
> in the old PKI (until the new PKI is ready)?
Symantec is required only to be issuing in the new PKI by 2017-08-08 -
in around ten weeks time. In the mean time, there is no restrictio
On Sunday, May 21, 2017 at 11:31:54 PM UTC, Michael Casadevall wrote:
> There's also a fair number of points dealing with who can sign and for
> what while Symantec spins up the new roots (which the Google proposal
> says a trusted third party CA signed by Symantec").
>
> I'm against this point sp
On 05/21/2017 02:37 PM, userwithuid wrote:
> To me, the most noticable difference between how Google and Mozilla can take
> action is with regards to exisiting certs. As proposed, Google has a really
> neat timeline to get rid of Symantec's questionable legacy stuff quickly and
> effectively. (L
To me, the most noticable difference between how Google and Mozilla can take
action is with regards to exisiting certs. As proposed, Google has a really
neat timeline to get rid of Symantec's questionable legacy stuff quickly and
effectively. (Legacy stuff which we - and arguably Symantec themse
On Saturday, 20 May 2017 15:49:44 UTC+1, Michael Casadevall wrote:
> Sanity check here, but I thought that OCSP-CT-Stapling required SCTs to
> be created at the time of issuance. Not sure if there's a way to
> backdate this requirement. If this is only intended for the new roots
> then just a poin
On 05/19/2017 05:43 PM, Kurt Roeckx wrote:
> So I think we have a few categories of certificates:
> - Those issued in the past, which can still be valid for up to 3
> years. I'm not sure when the last 5 year certificates are
> supposed to expire, or if they all expired, but I don't think
> th
Comments inline.
On 05/19/2017 05:10 PM, Jakob Bohm wrote:
> Suggested trivial changes relative to the proposal for Mozilla use:
>
> 3. All non-expired Symantec issued certificates of any kind (including
> SubCAs and revoked certificates) shall be CT logged as modified by #4
> below. All Symante
On Fri, May 19, 2017 at 01:04:45PM -0700, Kathleen Wilson via
dev-security-policy wrote:
>
> Gerv, thank you for all the effort you have been putting into this
> investigation into Symantec's mis-issuances, and in identifying the best way
> to move forward with the primary goal being to help ke
On 19/05/17 21:04, Kathleen Wilson via dev-security-policy wrote:
Hi Kathleen. I'm not quite sure how to interpret this part...
- I'm not sold on the idea of requiring Symantec to use third-party CAs to
perform validation/issuance on Symantec's behalf. The most serious concerns
that I have
On 19/05/2017 17:41, Gervase Markham wrote:
Hi m.d.s.p.,
Google have posted their updated plan for Symantec in the blink-dev
forum (copied below).
https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/ovLalSBRBQAJ
Insofar as it pertains to Google's actions, you should go over and
On 19/05/2017 22:04, Kathleen Wilson wrote:
On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote:
I have passed that document to Kathleen, and I hope she will be
endorsing this general direction soon, at which point it will no longer
be a draft.
Assuming she does, this will effec
On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote:
>
> I have passed that document to Kathleen, and I hope she will be
> endorsing this general direction soon, at which point it will no longer
> be a draft.
>
> Assuming she does, this will effectively turn into a 3-way conversati
illa.org
> Subject: [EXT] Google Plan for Symantec posted
>
> Hi m.d.s.p.,
>
> Google have posted their updated plan for Symantec in the blink-dev forum
> (copied below).
Posting on behalf of Symantec.
Google’s latest proposal follows collaborative and constructive community
discu
Hi m.d.s.p.,
Google have posted their updated plan for Symantec in the blink-dev
forum (copied below).
https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/ovLalSBRBQAJ
Insofar as it pertains to Google's actions, you should go over and
discuss it there. But of course, this plan ha
26 matches
Mail list logo
