As an incidental, I am negatively influenced by reading Symantecs response:
On Friday, 2 June 2017 16:48:45 UTC+1, Steve Medin wrote:
> > Our primary objective has always been to minimize any potential business
> > disruption for our customers
So, Symantec's primary objective is not PK Security, PKI Trust, or Best
Practise, or even Baseline Requirements?
> > Our CA business is led and staffed by experienced individuals around the
> > world
> > who serve our customers while ensuring our issuance practices comply with
> > industry and browser requirements.
This is fundametally inaccurate, if this was true then the issues that Mozilla
and others have discovered wouldn't have been there to find.
> > As the largest issuer of EV and OV certificates in the industry according
> > to
> > Netcraft, Symantec handles significantly larger volumes of validation
> > workloads across more geographies than most other CA’s. To our knowledge,
> > no
> > other single CA operates at the scale nor offers the broad set of
> > capabilities
> > that Symantec offers today.
So what if Symantec is the largest? If I am the busiest barman in the West and
serving thousands of drinks an hour, if these drinks are in fact diluted down,
the VOLUME of drinks I serve does not make up for the QUALITY of the drinks I
Likewise, Every time Symantec issues an EV or OV certificate, they are paid,
they make money. That's business, but if Symantec then decide not to reinvest
in their infrastructure to support that business, why on earth should the rest
of the PKI infrastructure have to give them some sort of special leniency?
> > Google shared this new proposal for Symantec’s CA with the community on May
> > 15. We have since been reviewing this proposal and weighing its merits
> > against feedback we’ve heard from the broader community, including our CA
> > customers.
If Symantec customers (who DO NOT KNOW the technical or even broader details of
the issues at hand) have an nifluence on the way Symantec acts, it's not going
to be best interest for the wider PKI security because it's doubtful of the
technical knowledge available to these influncers.
This whole blog post unfortuantely comes across as Symantec weasel-wording it's
way out of self improvement or even real acceptance of the bad practise that
has been documented so far.
Disappointing, but un-surprising.
I feel Symantec needs the associated potential business penalty of running the
risk of lost business (which I'm sure they can afford, being the biggest EV and
OV provider in the world) to remind them, and to underline to them the
importance of adhereing to the Baseline requirements and keeping the PKI
dev-security-policy mailing list