RE: [EXT] Re: Symantec Conclusions and Next Steps

t; Cc: mozilla-dev-security-policy pol...@lists.mozilla.org>; Gervase Markham <g...@mozilla.org> > Subject: [EXT] Re: Symantec Conclusions and Next Steps > > Continuing to look through the audits, I happened to notice a few other > things that stood out, some more pressi

Re: Symantec Conclusions and Next Steps

(I work for Mozilla, but this email doesn't necessarily reflect the views of Mozilla). Hi Steve, I appreciate Symantec taking the time to put this together. There's a lot of unpack here, so I wanted to zoom in on one portion of it. When discussing the feedback you received from enterprise

Re: Symantec Conclusions and Next Steps

On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote: > Hi Ryan, > > > > For your question “Do you believe that, during the discussions about how to > respond to WoSign's issues, the scope of impact was underestimated?”, the > answer is YES. > > > > After Oct 21 2016, WoSign

Re: Symantec Conclusions and Next Steps

On Fri, Apr 28, 2017 at 4:16 AM, Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This Google decision’s problem is some big websites used a domain that not > listed in Alexa 1M suffered disruption, for example, Qihoo 360’s search > site and online gaming

Re: Symantec Conclusions and Next Steps

benefit and negotiate an acceptable solution for > any problem that happened. > > Thanks. > > > > Best Regards, > > > > Richard > > > > From: Ryan Sleevi [mailto:r...@sleevi.com] > Sent: Thursday, April 27, 2017 8:38 PM > To: Rich

Re: Symantec Conclusions and Next Steps

If the Nets Norway intermediate is technically constrained only to domains that Nets Norway own or control, I have no problem with leaving it active. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

RE: Symantec Conclusions and Next Steps

From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, April 27, 2017 8:38 PM To: Richard Wang <rich...@wosign.com> Cc: Steve Medin <steve_me...@symantec.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Symantec Conclusions and Next Steps Hi Richard, On

RE: Symantec Conclusions and Next Steps

sts.mozilla.org> Subject: Re: Symantec Conclusions and Next Steps On Thu, Apr 27, 2017 at 3:52 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Your post made me realize that we never publicly p

Re: Symantec Conclusions and Next Steps

cy > [mailto:dev-security-policy-bounces+jeremy.rowley= > digicert.com@lists.mozilla > .org] On Behalf Of Rob Stradling via dev-security-policy > Sent: Thursday, April 27, 2017 4:38 AM > To: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> >

RE: Symantec Conclusions and Next Steps

Stradling via dev-security-policy Sent: Thursday, April 27, 2017 4:38 AM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Symantec Conclusions and Next Steps On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote: > (Note: A few of the non

Re: Symantec Conclusions and Next Steps

Hi Richard, On Thu, Apr 27, 2017 at 6:13 AM, Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I like to share the experience we suffered from distrust, it is disastrous > for CA and its customers to replace the certificate that exceed your > imagination that

Re: Symantec Conclusions and Next Steps

I don't know about others, but I am quite disappointed by Symantec's proposed remediation plan. Intentional or not, these response seems to indicate they don't really understand the potential consequences of many of their past actions. Essentially, they promise to: 1) Have a third party audit

RE: Symantec Conclusions and Next Steps

Barreira <in...@startcomca.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Symantec Conclusions and Next Steps On 27/04/17 11:56, Inigo Barreira wrote: > Good to know that our new certs are there :-) Regarding StartCom, > these are t

Re: Symantec Conclusions and Next Steps

On 27/04/17 11:56, Inigo Barreira wrote: Good to know that our new certs are there :-) Regarding StartCom, these are the new certs we´ve generated and will be used to apply for inclusion in the Mozilla root program. Nothing to disclose at the moment I guess. We´ve not been audited yet nor

RE: Symantec Conclusions and Next Steps

pol...@lists.mozilla.org> Subject: Re: Symantec Conclusions and Next Steps On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote: > (Note: A few of the non-Symantec entries currently listed by > https://crt.sh/mozilla-disclosures#undisclosed are false positives, I > think. It look

Re: Symantec Conclusions and Next Steps

On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote: (Note: A few of the non-Symantec entries currently listed by https://crt.sh/mozilla-disclosures#undisclosed are false positives, I think. It looks like Kathleen has marked some roots as "Removed" on CCADB ahead of the

RE: Symantec Conclusions and Next Steps

...@lists.mozilla.org Subject: RE: Symantec Conclusions and Next Steps Feedback from our Enterprise Customers In addition to our review of public commentary on these issues, we have also sought input and feedback from Symantec customers on the compatibility and interoperability impact

RE: Symantec Conclusions and Next Steps

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, April 21, 2017 6:17 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

Re: Symantec Conclusions and Next Steps

On 25/04/17 23:50, Ryan Sleevi via dev-security-policy wrote: Continuing to look through the audits, I happened to notice a few other things that stood out, some more pressing than others. More pressing: I can find no disclosure with Salesforce or crt.sh of at least two CAs that are listed 'in

Re: Symantec Conclusions and Next Steps

Continuing to look through the audits, I happened to notice a few other things that stood out, some more pressing than others. More pressing: I can find no disclosure with Salesforce or crt.sh of at least two CAs that are listed 'in scope' of the audit report, as part of

Re: Symantec Conclusions and Next Steps

On Tue, Apr 25, 2017 at 12:14 AM, Ryan Sleevi wrote: > Gerv, > > Is there any update on https://wiki.mozilla.org/ > CA:Symantec_Issues#STRUCK:_Issue_Y:_Unaudited_ > Unconstrained_Intermediates_.28December_2015_-_April_2017.29 ? > > I'm just wanting to understand how this relates

Re: Symantec Conclusions and Next Steps

Gerv, Is there any update on https://wiki.mozilla.org/CA:Symantec_Issues#STRUCK:_Issue_Y:_Unaudited_Unconstrained_Intermediates_.28December_2015_-_April_2017.29 ? I'm just wanting to understand how this relates to Mozilla's PKI policy and expectations, and better understand why you struck it. -

Re: Symantec Conclusions and Next Steps

On 2017-04-24 11:18, Gervase Markham wrote: On 21/04/17 11:38, Kurt Roeckx wrote: I'm still concerned that they don't seem to have an idea of what software they're all (still) running, and they didn't reply to any question about it. I'm sorry, I don't follow. Can you expand? I confused some

Re: Symantec Conclusions and Next Steps

On 21/04/17 11:38, Kurt Roeckx wrote: > I'm still concerned that they don't seem to have an idea of what > software they're all (still) running, and they didn't reply to any > question about it. I'm sorry, I don't follow. Can you expand? Gerv ___

Re: Symantec Conclusions and Next Steps

On Fri, Apr 21, 2017 at 6:16 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I've updated the Issues list: > https://wiki.mozilla.org/CA:Symantec_Issues > with the latest information. 3 issues have been marked as STRUCK due to > lack of evidence of

Re: Symantec Conclusions and Next Steps

On Fri, Apr 21, 2017 at 11:16:56AM +0100, Gervase Markham via dev-security-policy wrote: > Minor: > Issue B: Issuance of 1024-bit Certificate Expiring After Deadline I'm still concerned that they don't seem to have an idea of what software they're all (still) running, and they didn't reply to