It makes perfect sense if the game plan is to force continued delays of decisions on the part of root programs! Which appears to be exactly what is happening. After all, wait long enough, and it can be claimed that all possibly bad things would be expired, so don't distrust us, m'ok.
I think the idea of giving Symantec a path to keep 27 month certificates, e.g. Coupled to the standup of a new PKI, makes a lot of sense, since going to a new PKI would help get rid of the risks associated with the present PKI, and make a big player a leader in making shorter lifetimes a reality (In the absence of a new PKI it would seem 9 mo or 13 mo validity is needed to reduce ecosystem risk). On Sunday, May 7, 2017 at 6:56:56 PM UTC-4, Eric Mill wrote: > On Sun, May 7, 2017 at 6:09 PM, Rick Andrews via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I'm posting this on behalf of Symantec: > > > > We would like to update the community about our ongoing dialogue with > > Google. > > > > Following our May 4th post, senior executives at Google and Symantec > > established a new dialogue with the intention to arrive at a new proposal > > for the community that addresses the substantial customer impact that would > > result from prior proposals. We urge Symantec customers and the browser > > community to pause on decisions related to this matter until final > > proposals are posted and accepted. > > > This call for the browser community to not make any decisions until Google > and Symantec finalize and accept a proposal completely marginalizes and > ignores both Mozilla and the broader web community. > > The "new dialogue" part also comes across as having gone over Ryan's head. > This is unfortunately consistent with Symantec's latest blog post, which > unprofessionally referred to proposals by "Mr. Sleevi" and "Mr. Markham". > These statements personalize the issue and marginalize the proposals by > casting them as individual opinions and not the views of their > organization. They also reinforce the perception that Symantec sees their > situation as the product of an unreasonable person or two and not the > result of their own errors. > > This list just spent the last two weeks focused on a large host of issues, > curated by Mozilla on their wiki and discussed by the broader community > here. So far, all Symantec has done to publicly respond to those is to send > a single email per-issue, and then not otherwise participate in the > discussion beyond blog posts. > > Posting a call to Mozilla's community list asking for Mozilla and its > community to pause while Symantec gets on the phone with senior Google > executives to work it all out is a baffling tactic. I hope Mozilla > continues to assert its stake in this process. > > -- Eric > > The intent of both Google and Symantec is to arrive at a proposal that > > improves security while minimizing business disruption across the community. > > > > We want to reassure the community that we are taking these matters and the > > impact on the community very seriously. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
