Re: [EXT] Symantec response to Google proposal

2017-06-05 Thread Martin Heaps via dev-security-policy
As an incidental, I am negatively influenced by reading Symantecs response:

On Friday, 2 June 2017 16:48:45 UTC+1, Steve Medin  wrote:

>  s-subca-proposal
> > Our primary objective has always been to minimize any potential business
> > disruption for our customers

So, Symantec's primary objective is not PK Security, PKI Trust, or Best 
Practise, or even Baseline Requirements?

> > Our CA business is led and staffed by experienced individuals around the 
> > world 
> > who serve our customers while ensuring our issuance practices comply with 
> > industry and browser requirements.  

This is fundametally inaccurate, if this was true then the issues that Mozilla 
and others have discovered wouldn't have been there to find.

> > As the largest issuer of EV and OV certificates in the industry according 
> > to 
> > Netcraft, Symantec handles significantly larger volumes of validation 
> > workloads across more geographies than most other CA’s. To our knowledge, 
> > no 
> > other single CA operates at the scale nor offers the broad set of 
> > capabilities 
> > that Symantec offers today.

So what if Symantec is the largest? If I am the busiest barman in the West and 
serving thousands of drinks an hour, if these drinks are in fact diluted down, 
the VOLUME of drinks I serve does not make up for the QUALITY of the drinks I 

Likewise, Every time Symantec issues an EV or OV certificate, they are paid, 
they make money. That's business, but if Symantec then decide not to reinvest 
in their infrastructure to support that business, why on earth should the rest 
of the PKI infrastructure have to give them some sort of special leniency?
> > Google shared this new proposal for Symantec’s CA with the community on May
> > 15. We have since been reviewing this proposal and weighing its merits 
> > against feedback we’ve heard from the broader community, including our CA 
> > customers.

If Symantec customers (who DO NOT KNOW the technical or even broader details of 
the issues at hand) have an nifluence on the way Symantec acts, it's not going 
to be best interest for the wider PKI security because it's doubtful of the 
technical knowledge available to these influncers. 

This whole blog post unfortuantely comes across as Symantec weasel-wording it's 
way out of self improvement or even real acceptance of the bad practise that 
has been documented so far.

Disappointing, but un-surprising. 

I feel Symantec needs the associated potential business penalty of running the 
risk of lost business (which I'm sure they can afford, being the biggest EV and 
OV provider in the world) to remind them, and to underline to them the 
importance of adhereing to the Baseline requirements and keeping the PKI 

dev-security-policy mailing list

RE: [EXT] Symantec response to Google proposal

2017-06-02 Thread Steve Medin via dev-security-policy
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
>] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Friday, June 02, 2017 10:54 AM
> To:
> Subject: [EXT] Symantec response to Google proposal
> s-subca-proposal
> Symantec have responded to the Google proposal (which Mozilla has
> endorsed as the basis for further discussion) with a set of inline
> which raise some objections to what is proposed.
> Google will, no doubt, be evaluating these requests for change and
> to accept, or not, each of them. But Mozilla can make our own independent
> decisions on these points if we choose. If Google and Mozilla accept a
> change, it is accepted. If Google accepts it but we decline to accept, we
> add it to our list of additional requirements for Symantec instead.
> Therefore, I would appreciate the community's careful consideration of the
> reasonableness of Symantec's requests for change to the proposal.
> Gerv

Thank you for posting this, Gerv.  We intended to post the following here.

Posting on behalf of Symantec.
Today, after thoroughly reviewing Google's proposal and weighing its merits
against feedback we've heard from the broader community, including our CA
customers, we shared our response with Google and the community, and also
posted our full response on our blog at

We anticipate that Google and the community will need some time to review
our feedback and share their reactions, and we welcome their continued input
as we work to reach an agreed-upon plan that can be implemented in a
reasonable timeframe and ensures minimal disruption for our customers. We
thank our customers and the community for their valuable contributions to
this important discussion, and we will continue working toward what we
believe is the best path forward for all stakeholders.

Description: S/MIME cryptographic signature
dev-security-policy mailing list