> On May 10, 2017, at 11:52, Gervase Markham via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > I would appreciate people's comments on the details of the current draft.
I don’t think that this proposal goes far enough. Symantec has demonstrated that they have no interested in engaging with the Mozilla community about these issues. Over the past months, dozens of relevant and important questions have been asked of Symantec by community members, and most of them remain unanswered to this day. In most cases, when questions were answered, it was only after setting a deadline, at the last possible moment of that deadline, and in a format that made it very hard to track responses and ask follow-up questions. Given this lack of constructive engagement, the recent request that we “pause” making any decisions, and the breathtaking severity of the issues discovered, I believe that the only objective should be to minimize risk to users of the Mozilla root store by removing the Symantec roots as quickly as possible. Trusted roots are a privilege and a responsibility, not a right, and Symantec has demonstrated that they are not capable of fulfilling that responsibility at this time. With that in mind and taking into account the responses to previous incidents, I believe the following actions should be taken as part of the proposed ‘new PKI’ plan: 1) Immediate removal of EV treatment from all certificates issued by existing Symantec roots. 2) The establishment of a cutoff date a few months from now after which new certificates issued from existing Symantec roots will no longer be trusted based on notBefore. A variant of this is already in the proposal, but the timeline is unclear. 3) Complete removal of existing Symantec roots from the trust store as quickly as possible while limiting user impact, using the Chrome accelerated expiry proposal as a starting point. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy