Re: Final Decision by Google on Symantec

2017-08-01 Thread Gervase Markham via dev-security-policy
On 28/07/17 07:14, Gervase Markham wrote: > I would like to make a decision on this matter on or before July 31st, After listening to the opinions here on m.d.s.p., and consultation within Mozilla and with our engineering teams, on the matter of when to distrust various bits of the existing

Re: Final Decision by Google on Symantec

2017-08-01 Thread Gervase Markham via dev-security-policy
On 31/07/17 15:17, Jakob Bohm wrote: > I am referring to the fact that EV-trust is currently assigned to roots, > not to SubCAs, at least as far as visible root store descriptions go. You said the problem was Mozilla-specific; do other root stores not do it this way? Gerv

Re: Final Decision by Google on Symantec

2017-08-01 Thread userwithuid via dev-security-policy
WRT to the deadlines: If the decision is to sync up, I think it's worth noting that Firefox probably needs to release 2-3 weeks after a Chrome "release date" to achieve this in practice. Why? Firefox updates take ~10days from release date to reach previous version numbers. Chrome _can_ do it

Re: Final Decision by Google on Symantec

2017-07-31 Thread Eric Mill via dev-security-policy
Given that we're past the 7/31 deadline and the comments in support of following Chrome's lead, it sounds likely that that's what's happening. And I think that's an understandable conclusion for Mozilla to draw, given the compatibility risk Mozilla would be leading on for at least several months.

Re: Final Decision by Google on Symantec

2017-07-31 Thread Peter Bowen via dev-security-policy
On Mon, Jul 31, 2017 at 7:17 AM, Jakob Bohm via dev-security-policy wrote: > On 31/07/2017 16:06, Gervase Markham wrote: >> >> On 31/07/17 15:00, Jakob Bohm wrote: >>> >>> - Due to current Mozilla implementation bugs, >> >> >> Reference, please? >> > > I am

Re: Final Decision by Google on Symantec

2017-07-31 Thread Jakob Bohm via dev-security-policy
On 31/07/2017 16:06, Gervase Markham wrote: On 31/07/17 15:00, Jakob Bohm wrote: It was previously stated in this newsgroup that non-SSLServer trust would not be terminated, at least for now. It was? Reference, please? That was my general impression, I don't have a good way to search the

Re: Final Decision by Google on Symantec

2017-07-31 Thread Gervase Markham via dev-security-policy
On 29/07/17 23:45, Peter Bowen wrote: > First, when the server authentication trust will bits be removed from > the existing roots. This is of notable importance for non-Firefox > users of NSS. Based on the Chrome email, it looks like they will > remove trust bits in their git repo around August

Re: Final Decision by Google on Symantec

2017-07-31 Thread Jakob Bohm via dev-security-policy
On 30/07/2017 00:45, Peter Bowen wrote: On Thu, Jul 27, 2017 at 11:14 PM, Gervase Markham via dev-security-policy wrote: Google have made a final decision on the various dates they plan to implement as part of the consensus plan in the Symantec matter.

Re: Final Decision by Google on Symantec

2017-07-31 Thread Jakob Bohm via dev-security-policy
On 28/07/2017 18:36, David E. Ross wrote: On 7/28/2017 6:34 AM, Alex Gaynor wrote: Frankly I was surprised to see Chromium reverse course on this -- they have a history of aggressive leadership in their handling of CA failures, it's a little disappointing to see them abandon that. I'd strongly

Re: Final Decision by Google on Symantec

2017-07-29 Thread Peter Bowen via dev-security-policy
On Thu, Jul 27, 2017 at 11:14 PM, Gervase Markham via dev-security-policy wrote: > Google have made a final decision on the various dates they plan to > implement as part of the consensus plan in the Symantec matter. The > message from blink-dev is included

Re: Final Decision by Google on Symantec

2017-07-29 Thread Nick Lamb via dev-security-policy
Other contributors have, I think, summed up the pros and cons of the two ways forward on the specific date very effectively. So I will expend my effort instead on pressing for Mozilla to handle final distrust of the old Symantec CA roots in its usual fashion and explicitly _not_ do as Symantec

Re: Final Decision by Google on Symantec

2017-07-28 Thread J.C. Jones via dev-security-policy
I share the desire to move faster than these dates, but upon consideration, I don't think it's much of a boon to web security for Mozilla to be substantially ahead of Chrome in implementing these trust changes. Since Chrome's decision to implement in April is final, their large user population is

Re: Final Decision by Google on Symantec

2017-07-28 Thread Jonathan Rudenberg via dev-security-policy
> On Jul 28, 2017, at 09:34, Alex Gaynor via dev-security-policy > wrote: > > Frankly I was surprised to see Chromium reverse course on this -- they have > a history of aggressive leadership in their handling of CA failures, it's a > little disappointing

Re: Final Decision by Google on Symantec

2017-07-28 Thread okaphone.elektronika--- via dev-security-policy
On Friday, 28 July 2017 08:15:43 UTC+2, Gervase Markham wrote: > Google have made a final decision on the various dates they plan to > implement as part of the consensus plan in the Symantec matter. The > message from blink-dev is included below. > > Most of the dates have consensus - the dates

Re: Final Decision by Google on Symantec

2017-07-28 Thread David E. Ross via dev-security-policy
On 7/28/2017 6:34 AM, Alex Gaynor wrote: > Frankly I was surprised to see Chromium reverse course on this -- they have > a history of aggressive leadership in their handling of CA failures, it's a > little disappointing to see them abandon that. > > I'd strongly advocate for us perusing an

Re: Final Decision by Google on Symantec

2017-07-28 Thread Vincent Lynch via dev-security-policy
Hi Gerv, Thank you for reaching out to the mdsp community. There are valid security reasons to consider a dis-trust date earlier than April 2018 for the corpus of Symantec certs issued prior to June 1st, 2016. However, I also believe there are security and operational risks in complicating the

Re: Final Decision by Google on Symantec

2017-07-28 Thread Alex Gaynor via dev-security-policy
Frankly I was surprised to see Chromium reverse course on this -- they have a history of aggressive leadership in their handling of CA failures, it's a little disappointing to see them abandon that. I'd strongly advocate for us perusing an earlier date -- December 1st at the latest. Reasons: 1)

Re: Final Decision by Google on Symantec

2017-07-28 Thread Jakob Bohm via dev-security-policy
As it stands, aligning with Chrome, plus/minus 14 days would be the best approach. It is of cause regrettable that Symantec managed to delay the decision process until a time when key Mozilla personnel (most notable Gerv) where unavailable, thus allowing Chrome to make the decisions while

Re: Final Decision by Google on Symantec

2017-07-28 Thread wizard--- via dev-security-policy
With respect to the date of distrust of symantec certificates issues before June 1, 2016, I believe Mozilla has a third option: Remove indicators of trust (green lock, etc.) on December 1, 2017 for Symantec certificates issued prior to June 1, 2016 (but do not produce interstitials and do not