On Tuesday, June 6, 2017 at 2:03:29 PM UTC, Gervase Markham wrote: > > 1) Scope of Distrust > > Google proposal: existing CT-logged certificates issued after 1st June > 2016 would continue to be trusted until expiry. > Symantec proposal: all CT-logged certificates should continue to be > trusted until expiry. > Rationale for change: if transparency is enough to engender trust, that > principle should be applied consistently. This also significantly > reduces the revalidation burden.
As mentioned in the other Symantec thread, right now Firefox doesn't do CT so notBefore >=2016-06 is the non-CT way of at least partially distrusting the old/unknown PKI soon-ish. I don't think it's a good idea to just broaden this to 2015-01 unless we know we can do CT by 2018-02. (Not sure if we'd be able to defend 2016-06 alone if Google agrees to do 2015-01 though) Then again, also in the other thread, you said "Mozilla would wish" the old PKI to be distrusted "sooner than November 2020" and you "expect it to be some time in 2018". Which I found to be a very bold proposition. Has Symantec commented on that yet? If not, can you make them? :-) In the event that we actually get 2018, allowing some older certs for a few more months might be worth conceding. A little less technically enforcable risk reduction from 2018-02 to 2018-?? in exchange for the "real deal" sooner than expected sounds good. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy