I broadly echo many of the comments and thoughts of Martin Heaps earlier in this thread.
Much of Symantec's response is disheartening, especially in the "inaccuracies": (the apparent dichotomy between how they have acted and their statement that they only employ the best people implementing best practice to ensure compliance, etc.) There is one aspect, however, which I feel needs the greatest amount of attention: Symantec has in multiple aspects raised what I believe to be reasonable concerns and doubts regarding the practicality of implementation of the proposed out-of-house managed CA transition in a timely fashion. Symantec has made numerous claims as to necessary qualifications, necessary up-scaling, necessary integrations, etc. Ultimately, I do think that the question which arises is: Can an already third-party work with Symantec to stand up new infrastructure and processes and staffing and integration in a sufficiently timely manner to be relevant to this discussion? If it takes so long to stand this up that Symantec could alternatively stand up a new, distinct root CA infrastructure and get that included faster.... does it even become relevant to migrate to a managed CA model for a period of time? How much critical analysis of the potential marketplace and realities of achieving such a relationship with another CA and qualification that there exist a market of CAs who could timely handle the load, etc. can reasonably be performed by the browser programs and/or the larger relying party community? Is what has been demanded of Symantec reasonable? Moreover... What if the requested remedy is actually infeasible? Where does that leave us and where does that leave Symantec? If a managed CA running their issuance for a time is demonstrably infeasible in a relevant time frame, what's the fallback position? Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
