On Tue, Jul 25, 2017 at 4:28 PM, Rick Andrews via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Symantec has proposed timing changes that are consistent with the scope of > distrust of the original SubCA proposal as proposed by Google and endorsed > by Mozilla, which requires premature replacement of over 234,000 > certificates based on our proposed May 1, 2018 distrust date for > certificates issued before June 1, 2016, and optimizes for replacement > certificates to be issued off the new Managed CA(s) infrastructure > (avoiding the requirement for double early replacement for the same > original validity period). We believe our proposal minimizes disruption to > websites and web end-users while meeting the spirit of Google’s and > Mozilla’s prior commentary on their intent regarding the SubCA proposal, > which is to limit the issuance of Symantec certificates under Symantec’s > existing infrastructure and governance. > Hi Rick, Given the importance of this 234,000 number, I was curious to explore. Using the list of certificates Peter Bowen previously put together ( https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/aQqYZX6oBgAJ), I ran a small script to filter out ones that expire before May 2018, or were issued after June 2016. Using this methodlogy, I got a count of 166k, a deviation of ~70k from your number. My 166k includes any certificates that have been replaced since Peter put together the list in April, so in that sense it likely reflects an over estimate of the number of certs needing to be replaced. Can you say a little more on how you came to this number? Cheers, Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
