RE: Symantec Update on SubCA Proposal

2017-08-14 Thread Jeremy Rowley via dev-security-policy
Hi Jakob, Your below description raises two questions of general interest (though not of interest to the Mozilla root program): 1. Will DigiCert establish cross-signatures from the old/historic Symantec roots to continuing DigiCert roots and subCAs? [JR] We won’t be cross-signing from

Re: Symantec Update on SubCA Proposal

2017-08-14 Thread Jakob Bohm via dev-security-policy
en via dev-security-policy Sent: Wednesday, August 09, 2017 12:24 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: [EXT] Re: Symantec Update on SubCA Proposal Hello m.d.s.p., I'd just like to give the community a heads up that Chrome’s plan remains to put up a blog post echoing

RE: Symantec Update on SubCA Proposal

2017-08-13 Thread Jeremy Rowley via dev-security-policy
, 2017 9:12 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Symantec Update on SubCA Proposal Steve, Thank you for responding relatively promptly (at least as compared to previous Symantec responses) to Devon's questions. However, these responses seem to imply that a side effect

Re: Symantec Update on SubCA Proposal

2017-08-12 Thread Nick Lamb via dev-security-policy
One good thing we should be able to hope for from a change in ownership even if the personnel and equipment are the same or a great deal in common: improved management oversight. In my view the most worrying underlying problem at Symantec was the inadequate oversight. Senior management at the

Re: Symantec Update on SubCA Proposal

2017-08-12 Thread wizard--- via dev-security-policy
; > Devon O'Brien via dev-security-policy > > Sent: Wednesday, August 09, 2017 12:24 PM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: [EXT] Re: Symantec Update on SubCA Proposal > > > > Hello m.d.s.p., > > > > I'd just like to give

Re: Symantec Update on SubCA Proposal

2017-08-11 Thread Steve Medin via dev-security-policy
illa.org > Subject: [EXT] Re: Symantec Update on SubCA Proposal > > Hello m.d.s.p., > > I'd just like to give the community a heads up that Chrome’s plan remains to > put up a blog post echoing our recent announcement on blink-dev [1], but > in the meantime, we are reviewi

Re: Symantec Update on SubCA Proposal

2017-08-09 Thread Devon O'Brien via dev-security-policy
Hello m.d.s.p., I'd just like to give the community a heads up that Chrome’s plan remains to put up a blog post echoing our recent announcement on blink-dev [1], but in the meantime, we are reviewing the facts related to Symantec’s sale of their PKI business to DigiCert [2]. Recently, it has

Re: Symantec Update on SubCA Proposal

2017-07-27 Thread Alex Gaynor via dev-security-policy
Just to be explicit: your count includes certificates which, with high probability have already been replaced, because it does not subtract names for which new certificates have been issued? I realize it may seem like I'm putting a lot of emphasis on this one number, but given that it's the basis

Re: Symantec Update on SubCA Proposal

2017-07-26 Thread Jakob Bohm via dev-security-policy
On 25/07/2017 22:28, Rick Andrews wrote: ... You are correct in that most customers are indeed not prepared to deal with potential crises in the SSL system. We have all witnessed this first hand with Heartbleed, the replacement of SHA1 certificates, etc. A four month replacement window for a

Re: Symantec Update on SubCA Proposal

2017-07-26 Thread Alex Gaynor via dev-security-policy
On Tue, Jul 25, 2017 at 4:28 PM, Rick Andrews via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Symantec has proposed timing changes that are consistent with the scope of > distrust of the original SubCA proposal as proposed by Google and endorsed > by Mozilla, which

Re: Symantec Update on SubCA Proposal

2017-07-26 Thread Nick Lamb via dev-security-policy
On Tuesday, 25 July 2017 21:29:06 UTC+1, Rick Andrews wrote: > The details of this process would probably be best served in a separate > thread. Essentially, such a process would involve a quick assessment by the > community on the context and merits of the request by the customer You want us

Re: Symantec Update on SubCA Proposal

2017-07-24 Thread Gervase Markham via dev-security-policy
Hi Rick, Some more thoughts on your post. I continue to invite community commentary on the issues we are discussing. On 21/07/17 07:00, Rick Andrews wrote: > In our June 1 post, we stated that we would update the community after the > end of the month. Indeed. I was more referring to the

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Rick Andrews via dev-security-policy
On Friday, July 21, 2017 at 12:39:54 PM UTC-7, Peter Bowen wrote: > Steve, > > I think this level of public detail is very helpful when it comes to > understanding the proposal. > > On Thu, Jul 20, 2017 at 8:00 AM, Steve Medin via dev-security-policy > wrote: > > 1) December 1, 2017 is the

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Rick Andrews via dev-security-policy
On Friday, July 21, 2017 at 12:07:02 PM UTC-7, Alex Gaynor wrote: > On Thu, Jul 20, 2017 at 11:00 AM, Steve Medin wrote: > > > 1) *December 1, 2017 is the earliest credible date that any RFP > > respondent can provide the Managed CA solution proposed by Google, assuming > > a start date of

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Peter Bowen via dev-security-policy
Steve, I think this level of public detail is very helpful when it comes to understanding the proposal. On Thu, Jul 20, 2017 at 8:00 AM, Steve Medin via dev-security-policy wrote: > 1) December 1, 2017 is the earliest credible date that any RFP >

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Alex Gaynor via dev-security-policy
On Thu, Jul 20, 2017 at 11:00 AM, Steve Medin wrote: > 1) *December 1, 2017 is the earliest credible date that any RFP > respondent can provide the Managed CA solution proposed by Google, assuming > a start date of August 1, 2017. Only one RFP respondent initially

Re: Symantec Update on SubCA Proposal

2017-07-21 Thread Gervase Markham via dev-security-policy
On 21/07/17 07:00, Rick Andrews wrote: > In light of all of these implications, we respectfully request that Mozilla, > Google and the community consider the dates Symantec has proposed, which are > the results of our earnest and extensive efforts to implement the spirit of > the SubCA

Re: Symantec Update on SubCA Proposal

2017-07-21 Thread Rick Andrews via dev-security-policy
On Thursday, July 20, 2017 at 12:31:56 PM UTC-7, Gervase Markham wrote: > Hi Steve, > > Thanks for posting this. I appreciate the level of detail provided, > which is useful in giving us a basis for discussion. It's a little > regrettable, though, that it was published a couple of weeks after we

Re: Symantec Update on SubCA Proposal

2017-07-20 Thread Gervase Markham via dev-security-policy
Hi Steve, Thanks for posting this. I appreciate the level of detail provided, which is useful in giving us a basis for discussion. It's a little regrettable, though, that it was published a couple of weeks after we were led to expect it... One note before we start: Symantec's business dealings

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
) It is our longstanding policy not to comment on rumors or market speculation. From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Wednesday, July 19, 2017 10:25 AM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [EXT] Symantec

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
...@konklone.com] Sent: Wednesday, July 19, 2017 3:43 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [EXT] Symantec Update on SubCA Proposal On Wed, Jul 19, 2017 at 11:31 AM, Steve Medin via dev-security-policy <dev-securi

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
illa.org > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > On 7/19/2017 8:31 AM, Steve Medin wrote: > >> -Original Message- > >> From: dev-security-policy [mailto:dev-security-policy- > >> bounces+steve_medin=symantec@lists.mozilla.org] On Behal

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
.org > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > On 19/07/2017 17:31, Steve Medin wrote: > >> -Original Message- > >> From: dev-security-policy [mailto:dev-security-policy- > >> bounces+steve_medin=symantec@lists.mozilla.org] On Behal

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Eric Mill via dev-security-policy
lf Of > > Jakob Bohm via dev-security-policy > > Sent: Tuesday, July 18, 2017 4:39 PM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > > > > > Just for clarity: > > > > (Note:

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread David E. Ross via dev-security-policy
017 4:39 PM >> To: mozilla-dev-security-pol...@lists.mozilla.org >> Subject: Re: [EXT] Symantec Update on SubCA Proposal >> >> >> Just for clarity: >> >> (Note: Using ISO date format instead of ambiguous local date format) >> >> How many Symantec

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Jakob Bohm via dev-security-policy
...@lists.mozilla.org Subject: Re: [EXT] Symantec Update on SubCA Proposal Just for clarity: (Note: Using ISO date format instead of ambiguous local date format) How many Symantec certs issued prior to 2015-06-01 expire after 2018- 06-01, and how does that mesh with the alternative date proposed below

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Steve Medin via dev-security-policy
.org > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > > Just for clarity: > > (Note: Using ISO date format instead of ambiguous local date format) > > How many Symantec certs issued prior to 2015-06-01 expire after 2018- > 06-01, and how does that mesh with the al

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Alex Gaynor via dev-security-policy
t; > > -Original Message- > > From: dev-security-policy [mailto:dev-security-policy- > > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > > Steve Medin via dev-security-policy > > Sent: Tuesday, July 18, 2017 2:23 PM > > To: mozilla-dev-sec

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-18 Thread Jakob Bohm via dev-security-policy
-policy [mailto:dev-security-policy- bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Steve Medin via dev-security-policy Sent: Tuesday, July 18, 2017 2:23 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: [EXT] Symantec Update on SubCA Proposal *Progress Update on SubCA RFP

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-18 Thread Steve Medin via dev-security-policy
age- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Steve Medin via dev-security-policy > Sent: Tuesday, July 18, 2017 2:23 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT] Sym

Symantec Update on SubCA Proposal

2017-07-18 Thread Steve Medin via dev-security-policy
*Progress Update on SubCA RFP, Partner Selection, and Execution* Since June 1, Symantec has worked in earnest to operationalize the SubCA proposal outlined by Google and Mozilla and discussed in community forums. The core of this proposal is to transfer the authentication and issuance of