On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote: > A response is now available in Bugzilla 1334377 and directly at: > https://bugzilla.mozilla.org/attachment.cgi?id=8836487
Thanks for these responses Steve, I believe that Symantec's decision to terminate the RA Partner programme was a good one, not only in light of what's been found during this specific investigation, but also because it makes the CA function within Symantec simpler. It definitely feels as though some of the issues (big and small) with Symantec's CA function in the past few years grew out of complexity. Simpler systems are easier to correctly reason about and thus to manage properly. Simpler systems are also easier for the Root Programmes to oversee and for the Relying Parties to put their trust in. This group has fought against the presumption that "foreign" CAs are necessarily less trustworthy, but the fact is that a person who was happy with a Symantec certificate on the basis that it was issued by a famous US Corporation might have been very surprised to learn the decision to issue was actually taken by a company they've never heard of in Korea, or Brazil. Given Symantec's experiences here, I would recommend that Mozilla's routine letter to CAs might ask them if they have any similar programme and if so what measures they have in place to ensure their RAs or similar Third Parties are really living up to the standards Mozilla requires. Depending on the responses this might need further action from Mozilla. It would also make sense to ask about this during new CA enrollment. There's maybe a small piece of work here to figure out what sort of characteristics best distinguish something like Symantec's relationship with Crosscert from unremarkable business practices like corporate accounts to issue many certificates without them each being validated separately. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
