On 24/05/17 16:33, Peter Bowen wrote: > Can you clarify the meaning of "new PKI"? I can see two reasonable > interpretations: .... > 2) The new PKI includes both new offline CAs that meet the > requirements to be Root CAs and new subordinate CAs that issue > end-entity certificates. the The new root CAs could be cross-signed by > existing CAs (regardless of owner), but the new subordinate CAs must > not be directly signed by any Symantec-owned root CA that currently > exists.
I was imagining a variant of this, where the subordinate CAs were cross-signed, but basically this one. I'd assumed that the new PKI proposed would mean new roots. It certainly means new long-term trust anchors, so I would expect Symantec to construct it such that they have new roots (perhaps four - one ECC, one RSA for both EV and non-EV?) and use them to issue new intermediates, which are then given to the 3rd party CA to manage. And there's some cross-signing somewhere to make it all work in old browsers. > Can you also clarify the expectations with regards to the existing > roots? You say "only to be issuing in the new PKI". Does Mozilla > intend to require that all CAs that chain to a specific set of roots > cease issuing all server authentication and email protection after a > certain date, unless they are also under one of the "new" roots? If > so, will issuance be allowed from CAs that chain to the "old" roots > once certain actions take place (e.g. removed from the trust stores in > all supported versions of Mozilla products)? I think that once the new intermediates are set up, we would change Firefox to: * Directly trust certs which chain through the new intermediates, i.e. without relying on the legacy path; * Only trust certs which are old-PKI-only with a notBefore before a certain date. So Symantec would not be prevented from issuing new certs in their old PKI, but Firefox would no longer trust them. Eventually, we would like to distrust the old PKI altogether; the timeline for that is currently the subject of an outstanding question to Google as to whether they have plans for that. > Google has proposed adding some indication to certificates of whether > the information validation was performed by Symantec or another party. > If Mozilla does not require a third-party to perform validation, would > it make sense to have a concept of validations performed by the "new" > RA and validations performed by the "old" RA or validations performed > in the scope of Symantec audits versus validations performed in the > scope of another audit? What decisions might we make on the basis of such a distinction? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
