Re: Mozilla requirements of Symantec
On 08/06/2017 18:52, Peter Bowen wrote: On Thu, Jun 8, 2017 at 9:38 AM, Jakob Bohm via dev-security-policy wrote: As the linked proposal was worded (I am not on Blink mailing lists), it seemed obvious that the original timeline was: Later: Once the new roots are generally accepted, Symantec can actually issue from the new SubCAs. Long term: CRL and OCSP management for the managed SubCAs remain with the third party CAs. This continues until the managed SubCAs expire or are revoked. I don't see this last part in the proposal. Instead the proposal appears to specifically contemplate the SubCAs being transferred to Symantec once the new roots are accepted in the required trust stores. That last part was derived purely from the logistical difficulty of moving private keys compared to just keeping CRL and OCSP running in an infrastructure that would keep running anyway (for the hosting CAs own CA certificates). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla requirements of Symantec
On Thu, Jun 8, 2017 at 9:38 AM, Jakob Bohm via dev-security-policy wrote: > > As the linked proposal was worded (I am not on Blink mailing lists), it > seemed obvious that the original timeline was: > > Later: Once the new roots are generally accepted, Symantec can actually > issue from the new SubCAs. > > Long term: CRL and OCSP management for the managed SubCAs remain with the > third party CAs. This continues until the managed SubCAs expire or are > revoked. I don't see this last part in the proposal. Instead the proposal appears to specifically contemplate the SubCAs being transferred to Symantec once the new roots are accepted in the required trust stores. Additionally, there is no policy, as far as I know, that governs transfer of non-Root CAs. This is possibly a gap, but an existing one. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla requirements of Symantec
On 08/06/2017 11:09, Gervase Markham wrote: On 07/06/17 22:30, Jakob Bohm wrote: Potential clarification: By "New PKI", Mozilla apparently refers to the "Managed CAs", "Transition to a New Symantec PKI" and related parts of the plan, not to the "new roots" for the "modernized platform" / "new infrastructure". I expect those things to be interlinked; by "New PKI" I was referring to them both. Symantec has not yet stated how they plan to structure their new arrangements, but I would expect that the intermediate certs run by the managed CAs would in some way become part of Symantec's new PKI, operated by them, once it was up and running. Ryan laid out a way Symantec could structure this on blink-dev, I believe, but the final structure is up to them. As the linked proposal was worded (I am not on Blink mailing lists), it seemed obvious that the original timeline was: August 2017: All new certs issued by Managed SubCAs that chain to the old Symantec roots. Private keys for these SubCAs reside an the third party CAs in secure hardware which will presumable prevent sharing them with Symantec. Much later: The new infrastructure passes all readiness audits. Then: A signing ceremony creates the new roots and their first set of SubCAs. Cross signatures are created from the old roots to the new roots. Maybe/Maybe not cross signatures are also created from the new roots to the managed SubCAs. Next: Symantec reapplies for inclusion with the new roots. Later: Once the new roots are generally accepted, Symantec can actually issue from the new SubCAs. Long term: CRL and OCSP management for the managed SubCAs remain with the third party CAs. This continues until the managed SubCAs expire or are revoked. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla requirements of Symantec
On 07/06/17 22:30, Jakob Bohm wrote: > Potential clarification: By "New PKI", Mozilla apparently refers to the > "Managed CAs", "Transition to a New Symantec PKI" and related parts of > the plan, not to the "new roots" for the "modernized platform" / "new > infrastructure". I expect those things to be interlinked; by "New PKI" I was referring to them both. Symantec has not yet stated how they plan to structure their new arrangements, but I would expect that the intermediate certs run by the managed CAs would in some way become part of Symantec's new PKI, operated by them, once it was up and running. Ryan laid out a way Symantec could structure this on blink-dev, I believe, but the final structure is up to them. > Potential clarification: Mozilla's #3 requirement applies to both the > "new PKI" and the "new roots" for the "new infrastructure". Yes, I suppose so, although I would expect such an extra-detailed audit to be done on the new infrastructure rather than on the Managed CA infrastructure which is owned by another CA. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla requirements of Symantec
Hi Gervase, there seems to be a slight inconsistency between the terminology in the plan posted at https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/ovLalSBRBQAJ And the official letter quoted below. I have added potential clarifications to fix this, please indicate, for the benefit of the community and Symantec if those clarifications are correct interpretations. On 07/06/2017 20:51, Gervase Markham wrote: Hi Steve, I'm writing to you in your role as the Primary Point of Contact for Symantec with regard to the Mozilla Root Program. I am writing with a list of Mozilla-specific additions to the consensus remediation proposal for Symantec, as documented by Google. We note that you have raised a number of objections and queries with regard to the consensus proposal. As you know, we are considering our responses to those. We reserve the right to make additional requests of Symantec in relation to any changes which might be made to that proposal, or for other reasons. However, we have formulated an initial list of Mozilla-specific addenda to the consensus proposal and feel now is a good time to pass them on to Symantec for your official consideration and comment. We would prefer comments in mozilla.dev.security.policy (to which this notice has been CCed), and in any event by close of business on Monday 12th June. 1) Mozilla would wish, after the 2017-08-08 date as documented in the consensus proposal, to alter Firefox such that it trusts certificates issued in the "new PKI" directly by embedding a set of certs or trust anchors which are part of that PKI, and can therefore distrust any new cert which is issued by the old PKI on a "notBefore" basis. We therefore require that Symantec arrange their new PKI and provide us with sufficient information in good time to be able to do that. Potential clarification: By "New PKI", Mozilla apparently refers to the "Managed CAs", "Transition to a New Symantec PKI" and related parts of the plan, not to the "new roots" for the "modernized platform" / "new infrastructure". 2) Mozilla would wish, at some point in the future sooner than November 2020 (39 months after 2017-08-08, the date when Symantec need to be doing new issuance from the new PKI), to be certain that we are fully distrusting the old PKI. As things currently stand technically, distrusting the old PKI would mean removing the roots, and so Symantec would have to move their customers to the new PKI at a rate faster than natural certificate expiry. Rather than arbitrarily set a date here, we are willing to discuss what date might be reasonable with Symantec, but would expect it to be some time in 2018. As you know, Firefox currently does not act upon embedded CT information, and so CT-based mechanisms are not a suitable basis for us to determine trust upon. Were that to change, we may be able to consider a continued trust of CT-logged certs, but would still want to dis-trust non-CT-logged certs sooner than November 2020. 3) If any additional audit is performed by Symantec, including but not limited to one that "that includes a description of the auditor’s tests of controls and results", then the intended users of the audit report must also include persons who assist in decisions related to the trusted status of Certification Authorities within Mozilla products. For any audit to unusually detailed criteria, it is permitted to place this information behind a login (or require it to be so placed) as long as Mozilla is allowed to give access to any member of our community that we wish. Potential clarification: Mozilla's #3 requirement applies to both the "new PKI" and the "new roots" for the "new infrastructure". We look forward to hearing Symantec's response to these requirements. With best wishes, Gerv Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
