Re: Symantec response to Google proposal

2017-06-20 Thread Jakob Bohm via dev-security-policy
On 20/06/2017 08:08, Gervase Markham wrote: On 20/06/17 01:21, Jakob Bohm wrote: 2. For any certificate bundle that needs to be incorporated into the Mozilla root stores, a significant period (3 to 6 months at least) will be needed between acceptance by Mozilla and actual trust by

Re: Symantec response to Google proposal

2017-06-20 Thread Gervase Markham via dev-security-policy
On 20/06/17 01:21, Jakob Bohm wrote: > 2. For any certificate bundle that needs to be incorporated into the > Mozilla root stores, a significant period (3 to 6 months at least) > will be needed between acceptance by Mozilla and actual trust by > Mozilla users. Not if the roots were

Re: Symantec response to Google proposal

2017-06-19 Thread Jakob Bohm via dev-security-policy
Notes on your below suggested timeline: 1. I see no reason to have that many new root bundles from Symantec. Ideally, there would be just two bundles: A transitional root bundle which signs the outsourced SubCAs only, and a final bundle intended to become the new long-term Symantec roots.

Re: Symantec response to Google proposal

2017-06-16 Thread Peter Kurrasch via dev-security-policy
My thoughts:2) Timeline.I agree with Symantec that Google's original deadlines are far too aggressive, for 2 reasons. First, I do not think Symantec can move quickly without causing further damage. Second, I do

Re: Symantec response to Google proposal

2017-06-08 Thread wizard--- via dev-security-policy
On Tuesday, June 6, 2017 at 10:03:29 AM UTC-4, Gervase Markham wrote: > On 02/06/17 15:53, Gervase Markham wrote: > > https://www.symantec.com/connect/blogs/symantec-s-response-google-s-subca-proposal > > I'm slightly surprised to see no engagement here. I think many of us are worn out with the

Re: Symantec response to Google proposal

2017-06-08 Thread Gervase Markham via dev-security-policy
On 06/06/17 19:59, Jakob Bohm wrote: > I don't see a problem in access to this being subject to a reasonable > NDA that allows Mozilla to show it to their choice of up to 50 external > experts (I don't expect to be one of those 50). The problem with an NDA is that if the audit reports significant

Re: Symantec response to Google proposal

2017-06-06 Thread userwithuid via dev-security-policy
On Tuesday, June 6, 2017 at 2:03:29 PM UTC, Gervase Markham wrote: > > 1) Scope of Distrust > > Google proposal: existing CT-logged certificates issued after 1st June > 2016 would continue to be trusted until expiry. > Symantec proposal: all CT-logged certificates should continue to be > trusted

Re: Symantec response to Google proposal

2017-06-06 Thread Matthew Hardeman via dev-security-policy
On Tuesday, June 6, 2017 at 9:03:29 AM UTC-5, Gervase Markham wrote: > I'm slightly surprised to see no engagement here. Perhaps it would be > help to break it down. Symantec's specific requests for modification are > as follows (my interpretation): > > 1) Scope of Distrust > > Google proposal:

Re: Symantec response to Google proposal

2017-06-06 Thread Jakob Bohm via dev-security-policy
On 06/06/2017 16:02, Gervase Markham wrote: On 02/06/17 15:53, Gervase Markham wrote: https://www.symantec.com/connect/blogs/symantec-s-response-google-s-subca-proposal I'm slightly surprised to see no engagement here. Perhaps it would be help to break it down. Symantec's specific requests

Re: Symantec response to Google proposal

2017-06-06 Thread Matthew Hardeman via dev-security-policy
I broadly echo many of the comments and thoughts of Martin Heaps earlier in this thread. Much of Symantec's response is disheartening, especially in the "inaccuracies": (the apparent dichotomy between how they have acted and their statement that they only employ the best people implementing

Re: Symantec response to Google proposal

2017-06-06 Thread Gervase Markham via dev-security-policy
Here are some thoughts from me: On 06/06/17 15:02, Gervase Markham wrote: > 1) Scope of Distrust I have sought more information from Google on this. > 2) Timeline I think the question here is, what is our position, and on what basis do we decide it? If we want to impose an aggressive but

Re: Symantec response to Google proposal

2017-06-06 Thread Gervase Markham via dev-security-policy
On 06/06/17 15:12, Alex Gaynor wrote: > I suspect many of us are a bit exhausted by the discussion :-). That's fair enough! :-) I can understand that. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Symantec response to Google proposal

2017-06-06 Thread Alex Gaynor via dev-security-policy
On Tue, Jun 6, 2017 at 10:02 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 02/06/17 15:53, Gervase Markham wrote: > > https://www.symantec.com/connect/blogs/symantec-s- > response-google-s-subca-proposal > > I'm slightly surprised to see no

Re: Symantec response to Google proposal

2017-06-05 Thread Peter Kurrasch via dev-security-policy
Hi Gerv--Is Mozilla willing to consider a simpler approach in this matter? For example, it seems that much of the complexity of the Google/Symantec proposal stems from this new PKI idea. I think Mozilla could