Hi everyone,
Today, DigiCert and Symantec announced that DigiCert is acquiring the Symantec CA assets, including the infrastructure, personnel, roots, and platforms. At the same time, DigiCert signed a Sub CA agreement wherein we will validate and issue all Symantec certs as of Dec 1, 2017. We are committed to meeting the Mozilla and Google plans in transitioning away from the Symantec infrastructure. The deal is expected to close near the end of the year, after which we will be solely responsible for operation of the CA. >From there, we will migrate customers and systems as necessary to consolidate platforms and operations while continuing to run all issuance and validation through DigiCert. We will post updates and plans to the community as things change and progress. I wanted to post to the Mozilla dev list to: 1. Inform the public, 2. Get community feedback about the transition and concerns, and 3. Get an update from the browsers on what this means for the plan, noting that we fully commit to the stated deadlines. We're hoping that any changes Two things I can say we plan on doing (following closing) to address concerns are: a. We plan to segregate certs by type on each root. Going forward, we will issue all SSL certs from a root while client and email come from different roots. We also plan on limiting the number of organizations on each issuing CA. We hope this will help address the "too big to fail" issue seen with Symantec. By segregating end entities into roots and sub CAs, the browsers can add affected Sub CAs to their CRL lists quickly and without impacting the entire ecosystem. This plan is very much in flux, and we'd love to hear additional recommendations. b. Another thing we are doing is adding a validation OID to all of our certificates that identifies which of the BR methods were used to issue the cert. This way the entire community can readily identify which method was used when issuing a cert and take action if a method is deemed weak or insufficient. We think this is a huge improvement over the existing landscape, and I'm very excited to see that OID rolled out. Thanks a ton for any thoughts you offer. Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy