On Mon, May 22, 2017 at 9:33 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 19/05/17 21:04, Kathleen Wilson wrote: >> - What validity periods should be allowed for SSL certs being issued >> in the old PKI (until the new PKI is ready)? > > Symantec is required only to be issuing in the new PKI by 2017-08-08 - > in around ten weeks time. In the mean time, there is no restriction > beyond the normal one on the length they can issue. This makes sense, > because if certs issued yesterday will expire 39 months from yesterday, > then certs issued in 10 weeks will only expire 10 weeks after that - not > much difference.
Can you clarify the meaning of "new PKI"? I can see two reasonable interpretations: 1) The systems and processes used to issue end-entity certificates (server authentication and email protection) must be distinct from the existing systems. This implies that a new set of subordinate CAs under the existing Symantec-owned roots would meet the requirements. These new subordinate CAs could be owned and operated by either Symantec or owned and operated by a third party who has their own WebTrust audit. 2) The new PKI includes both new offline CAs that meet the requirements to be Root CAs and new subordinate CAs that issue end-entity certificates. the The new root CAs could be cross-signed by existing CAs (regardless of owner), but the new subordinate CAs must not be directly signed by any Symantec-owned root CA that currently exists. Can you also clarify the expectations with regards to the existing roots? You say "only to be issuing in the new PKI". Does Mozilla intend to require that all CAs that chain to a specific set of roots cease issuing all server authentication and email protection after a certain date, unless they are also under one of the "new" roots? If so, will issuance be allowed from CAs that chain to the "old" roots once certain actions take place (e.g. removed from the trust stores in all supported versions of Mozilla products)? >> - I'm not sold on the idea of requiring Symantec to use third-party >> CAs to perform validation/issuance on Symantec's behalf. The most >> serious concerns that I have with Symantec's old PKI is with their >> third-party subCAs and third-party RAs. I don't have particular >> concern about Symantec doing the validation/issuance in-house. So, I >> think it would be better/safer for Symantec to staff up to do the >> validation/re-validation in-house rather than using third parties. If >> the concern is about regaining trust, then add auditing to this. > > Of course, if we don't require something but Google do (or vice versa) > then Symantec will need to do it anyway. But I will investigate in > discussions whether some scheme like this might be acceptable to both > the other two sides and might lead to a quicker migration timetable to > the new PKI. Google has proposed adding some indication to certificates of whether the information validation was performed by Symantec or another party. If Mozilla does not require a third-party to perform validation, would it make sense to have a concept of validations performed by the "new" RA and validations performed by the "old" RA or validations performed in the scope of Symantec audits versus validations performed in the scope of another audit? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy