Re: Mozilla’s Plan for Symantec Roots

On Fri, Mar 2, 2018 at 11:58 AM, Doug Beattie wrote: > Hi Wayne, > > Is the Firefox 60 update in May the same as the combination of the April > and October Chrome updates, in that all Symantec certificates will be > untrusted on this date (5 months before Chrome)? >

RE: Mozilla’s Plan for Symantec Roots

policy- > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of Wayne > Thayer via dev-security-policy > Sent: Friday, March 2, 2018 1:12 PM > Cc: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Mozilla’s Plan

Re: Mozilla’s Plan for Symantec Roots

Update: Mozilla is moving forward with our implementation of the consensus plan for Symantec roots [1]. With the exception of whitelisted subordinate CAs using the keys listed on the wiki [2], Symantec certificates are now blocked by default on Nightly builds of Firefox. The preference

Re: Mozilla’s Plan for Symantec Roots

> > > > Google requests that certain subCA SPKIs are whitelisted, to ensure > > continued trust of Symantec-issued certificates that are used by > > infrastructure that is operated by Google. > > > > Is whitelisting the SPKI found in the Google subCA sufficient to achieve > > the need of trusting

Re: Mozilla’s Plan for Symantec Roots

On Thu, Mar 1, 2018 at 4:45 PM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 01.03.2018 18:45, Ryan Sleevi via dev-security-policy wrote: > >> > >> The point of my question is to clarify, if the DigiCert transition Roots > >> are completely separate from

Re: Mozilla’s Plan for Symantec Roots

On 01.03.2018 18:45, Ryan Sleevi via dev-security-policy wrote: >> >> The point of my question is to clarify, if the DigiCert transition Roots >> are completely separate from the Apple/Google subCA whitelisting >> requirements. >> > > I'm not sure how to interpret the Apple/Google question, but

Re: Mozilla’s Plan for Symantec Roots

Hello Ryan, thanks again for this response. The situation appears very complex. I might follow up with a couple of clarification questions, that are hopefully simple to answer. Let me start with this one: Chromium will whitelist the SPKIs of a "CN=DigiCert Transition ECC Root" and a "CN=DigiCert

Re: Mozilla’s Plan for Symantec Roots

On Thu, Feb 15, 2018 at 9:37 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > What does that mean for non-browser SSL/TLS client software, which > cannot do whitelisting based on SPKI, but which wants to ensure > compatibility with non-migrated

Re: Mozilla’s Plan for Symantec Roots

Ryan, thanks for highlighting that I missed a few Roots. So originally, the October 2017 announcemend had mentioned: - GeoTrust Global CA - GeoTrust Primary Certification Authority - G2 - GeoTrust Primary Certification Authority - G3 Looking at the data available at

RE: Mozilla’s Plan for Symantec Roots

> OK. I'm researching what approach should be used for the Fedora Linux > distribution, where a single CA trust list (based on Mozilla's CA trust > list) is used for the whole system, including Firefox, and other > applications that > use other certificate validation logic, like the ones built

Re: Mozilla’s Plan for Symantec Roots

On Tue, Feb 13, 2018 at 4:40 PM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > For the second distrust phase in Autumn 2018, assume that all Symantec > customers (excluding the managed CAs that are covered by the whitelisted > subCA SPKIs) have been fully

Re: Mozilla’s Plan for Symantec Roots

On 13.02.2018 18:10, Ryan Sleevi wrote: > > On Tue, Feb 13, 2018 at 11:30 AM, Kai Engert > wrote: > > A couple more comments below: > > On 12.02.2018 19:13, Ryan Sleevi wrote: > > > > You're asking about non-browser environments that cannot >

Re: Mozilla’s Plan for Symantec Roots

On Tue, Feb 13, 2018 at 11:30 AM, Kai Engert wrote: > Hello Ryan, > > thanks a lot for your very helpfull response! > > A couple more comments below: > > On 12.02.2018 19:13, Ryan Sleevi wrote: > > A separate question which would be good to clarified: What about > >

Re: Mozilla’s Plan for Symantec Roots

Hello Ryan, thanks a lot for your very helpfull response! A couple more comments below: On 12.02.2018 19:13, Ryan Sleevi wrote: > A separate question which would be good to clarified: What about > environments, which want to distrust all old Symantec roots in October > 2018, but

Re: Mozilla’s Plan for Symantec Roots

On Mon, Feb 12, 2018 at 11:36 AM, Kai Engert wrote: > On 09.02.2018 22:20, Ryan Sleevi wrote: > > As a small clarification - while Chrome has included the certificates, > > as noted in the readme, the whitelist is based on SPKI. This was > > intentional, to avoid situations of

Re: Mozilla’s Plan for Symantec Roots

On Mon, Feb 12, 2018 at 5:36 PM, Kai Engert wrote: > > For example, if you note, there are two Google certificates, but they > > share the same SPKI and Subject Name - which is why the Chromium > > whitelist only has one certificate listed, as it extracts the SPKI from > > that

Re: Mozilla’s Plan for Symantec Roots

On 09.02.2018 22:20, Ryan Sleevi wrote: > As a small clarification - while Chrome has included the certificates, > as noted in the readme, the whitelist is based on SPKI. This was > intentional, to avoid situations of interoperability issues. Hi Ryan, IIUC, the current implementation in Firefox

Re: Mozilla’s Plan for Symantec Roots

Hi Wayne, As a small clarification - while Chrome has included the certificates, as noted in the readme, the whitelist is based on SPKI. This was intentional, to avoid situations of interoperability issues. Whitelisting by certificate, rather than either SPKI or SPKI-Tuple, brings with it

Re: Mozilla’s Plan for Symantec Roots

On Thu, Feb 8, 2018 at 7:26 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 16.10.2017 19:32, Gervase Markham via dev-security-policy wrote: > > The subCAs that we know of that fall into this category belong to Google > > and Apple. If there are any

Re: Mozilla’s Plan for Symantec Roots

Also, it should be understood that on Linux OS no transitional periods will be made, but simply to removes all Symantec certificates from a certain date. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Mozilla’s Plan for Symantec Roots

On 16.10.2017 19:32, Gervase Markham via dev-security-policy wrote: > The subCAs that we know of that fall into this category belong to Google > and Apple. If there are any other subCAs that fall into this category, > please let us know immediately. Google has one such subCA; Apple has seven.

Re: Mozilla’s Plan for Symantec Roots

On 16.10.2017 20:26, Eric Mill via dev-security-policy wrote: > Adding code to Firefox to support the distrust of specified subCAs seems > like it would be a good long-term investment for Mozilla, as it would give > Mozilla a lot more flexibility during future distrust events. I think this isn't

Re: Mozilla’s Plan for Symantec Roots

On 16.10.2017 19:33, Gervase Markham via dev-security-policy wrote: > As per previous discussions and > https://wiki.mozilla.org/CA:Symantec_Issues, a consensus proposal[0] was > reached among multiple browser makers for a graduated distrust of > Symantec roots. > > Here is Mozilla’s planned

Re: Mozilla’s Plan for Symantec Roots

Hi Peter, Ryan is the chain-building expert, and others have deeper knowledge of how the new Symantec/DigiCert PKI is going to work than I do, but here's an attempt to answer your question. On 27/10/17 16:51, Peter Bowen wrote: > If DigiCert generates a new online issuing CA on 20 March 2018 and

Re: Mozilla’s Plan for Symantec Roots

Without commenting on the Symantec aspect of this, there is a rather substantial correction to the behaviour of client software - including Firefox. Unfortunately, very few libraries and path validators support chain building terminating at trust anchors in the way you describe. Recent changes in

Re: Mozilla’s Plan for Symantec Roots

On Tue, Oct 17, 2017 at 2:06 AM, Gervase Markham wrote: > On 16/10/17 20:22, Peter Bowen wrote: >> Will the new managed CAs, which will operated by DigiCert under >> CP/CPS/Audit independent from the current Symantec ones, also be >> included on the list of subCAs that will

Re: Mozilla’s Plan for Symantec Roots

On 18/10/17 13:49, Gervase Markham wrote: > Apple have confirmed that their list is complete and correct. As have Google. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Mozilla’s Plan for Symantec Roots

On 16.10.2017 19:32, Gervase Markham via dev-security-policy wrote: > > Here is Mozilla’s planned timeline for the graduated distrust of > Symantec roots (subject to change): > > * January 2018 (Firefox 58): Notices in the Developer Console will warn > about Symantec certificates issued before

Re: Mozilla’s Plan for Symantec Roots

On 17/10/17 10:01, Gervase Markham wrote: > Here's an informal list created by me examining the CCADB. Note that the > CCADB links won't work for anyone except Root Store operators. Apple have confirmed that their list is complete and correct. Gerv

Re: Mozilla’s Plan for Symantec Roots

On 17/10/17 15:50, Ryan Sleevi wrote: > That doesn't seem to line up with the discussion in > https://groups.google.com/d/topic/mozilla.dev.security.policy/_EnH2IeuZtw/discussion > to date. Do you have any additional information to share? > > Note that the path you just described is the one that

Re: Mozilla’s Plan for Symantec Roots

On 16/10/17 20:19, Daniel Cater wrote: > Could we have a list of the subCAs that are being considered for exemption > for the distrust? Here's an informal list created by me examining the CCADB. Note that the CCADB links won't work for anyone except Root Store operators. GeoTrust Global CA |

Re: Mozilla’s Plan for Symantec Roots

On Mon, Oct 16, 2017 at 10:32 AM, Gervase Markham via dev-security-policy wrote: > As per previous discussions and > https://wiki.mozilla.org/CA:Symantec_Issues, a consensus proposal[0] was > reached among multiple browser makers for a graduated distrust of

Re: Mozilla’s Plan for Symantec Roots

On Monday, 16 October 2017 18:32:54 UTC+1, Gervase Markham wrote: > = Symantec roots to be disabled via code, *not* removed from NSS = > > GeoTrust Global CA > GeoTrust Primary Certification Authority - G2 > GeoTrust Primary Certification Authority - G3 > > = Symantec roots that will be fully

Re: Mozilla’s Plan for Symantec Roots

Adding code to Firefox to support the distrust of specified subCAs seems like it would be a good long-term investment for Mozilla, as it would give Mozilla a lot more flexibility during future distrust events. -- Eric On Mon, Oct 16, 2017 at 1:32 PM, Gervase Markham via dev-security-policy <