On 19/05/2017 22:04, Kathleen Wilson wrote:
On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote:
I have passed that document to Kathleen, and I hope she will be
endorsing this general direction soon, at which point it will no longer
be a draft.
Assuming she does, this will effectively turn into a 3-way conversation
between Symantec, Google and Mozilla, to iron out the details of what's
required, with the Google proposal as a base. (Which I'm fine with as a
starting point.)
Comments are therefore invited on what modifications to the plan or
additional requirements Mozilla might want to suggest/impose, and
(importantly) why those suggestions/impositions are necessary and
proportionate.
Gerv, thank you for all the effort you have been putting into this
investigation into Symantec's mis-issuances, and in identifying the best way to
move forward with the primary goal being to help keep end-users safe.
I fully support requiring Symantec to set up a new PKI on new infrastructure,
and to transition to it in phases, in order to minimize the impact and reduce
the risk for end-users.
I think the general direction is correct, but I think there are a few details
to be ironed out, such as:
- What validity periods should be allowed for SSL certs being issued in the old
PKI (until the new PKI is ready)? I prefer that this be on the order of 13
months, and not on the order of 3 years, so that we can hope to distrust the
old PKI as soon as possible. I prefer to not have to wait 3 years to stop
trusting the old PKI for SSL, because a bunch of 3-year SSL certs get issued
this year.
I think this can be solved by having either the new Symantec PKI (if
trusted) or some other trusted CA cross sign the Managed SubCA, then
including that cross cert in the P11 object in Mozilla products.
This would disconnect the new certs (even if they have 35 months left)
from the old Symantec PKI for any client that includes the cross certs
in its standard store, allowing the old CA certs to be removed in the
very same release (unless of cause there are pre-transition certs that
should still be trusted).
- Perhaps the new PKI should only be cross-signed by a particular intermediate
cert of a particular root cert, so that we can begin to distrust the rest of
the old PKI as soon as possible.
Again, the idea would be that once the new PKI cross signs the
transitional managed SubCAs, root stores can ship the new root CAs and
the new cross certs for the SubCAs while instantly distrusting the old
PKI. In other words the Managed/transitional SubCAs would serve the
role of your proposed "particular intermediate cert".
- I'm not sold on the idea of requiring Symantec to use third-party CAs to
perform validation/issuance on Symantec's behalf. The most serious concerns
that I have with Symantec's old PKI is with their third-party subCAs and
third-party RAs. I don't have particular concern about Symantec doing the
validation/issuance in-house. So, I think it would be better/safer for Symantec
to staff up to do the validation/re-validation in-house rather than using third
parties. If the concern is about regaining trust, then add auditing to this.
That seems to be a matter of debate. I have been arguing the same
point without success.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
