Re: Mozilla requirements of Symantec

Thu, 08 Jun 2017 09:39:57 -0700 

On 08/06/2017 11:09, Gervase Markham wrote:

On 07/06/17 22:30, Jakob Bohm wrote:

Potential clarification: By "New PKI", Mozilla apparently refers to the
"Managed CAs", "Transition to a New Symantec PKI" and related parts of
the plan, not to the "new roots" for the "modernized platform" / "new
infrastructure".


I expect those things to be interlinked; by "New PKI" I was referring to
them both.

Symantec has not yet stated how they plan to structure their new
arrangements, but I would expect that the intermediate certs run by the
managed CAs would in some way become part of Symantec's new PKI,
operated by them, once it was up and running. Ryan laid out a way
Symantec could structure this on blink-dev, I believe, but the final
structure is up to them.




As the linked proposal was worded (I am not on Blink mailing lists), it 
seemed obvious that the original timeline was:



  August 2017: All new certs issued by Managed SubCAs that chain to the 
old Symantec roots.  Private keys for these SubCAs reside an the third 
party CAs in secure hardware which will presumable prevent sharing them 
with Symantec.


  Much later: The new infrastructure passes all readiness audits.


  Then: A signing ceremony creates the new roots and their first set of 
SubCAs.  Cross signatures are created from the old roots to the new 
roots.   Maybe/Maybe not cross signatures are also created from the new 
roots to the managed SubCAs.


  Next: Symantec reapplies for inclusion with the new roots.


  Later: Once the new roots are generally accepted, Symantec can 
actually issue from the new SubCAs.



  Long term: CRL and OCSP management for the managed SubCAs remain with 
the third party CAs.  This continues until the managed SubCAs expire or 
are revoked.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to