On 02/08/2017 23:12, Jeremy Rowley wrote:
Hi everyone,
Today, DigiCert and Symantec announced that DigiCert is acquiring the
Symantec CA assets, including the infrastructure, personnel, roots, and
platforms. At the same time, DigiCert signed a Sub CA agreement wherein we
will validate and issue all Symantec certs as of Dec 1, 2017. We are
committed to meeting the Mozilla and Google plans in transitioning away from
the Symantec infrastructure. The deal is expected to close near the end of
the year, after which we will be solely responsible for operation of the CA.
From there, we will migrate customers and systems as necessary to
consolidate platforms and operations while continuing to run all issuance
and validation through DigiCert. We will post updates and plans to the
community as things change and progress.
Wasn't the whole outsourced SubCA plan predicated on the outsourcing
being done to someone else. But with this, DigiCert (as successor to
Symantec) would be outsourcing to itself?
I wanted to post to the Mozilla dev list to:
1. Inform the public,
2. Get community feedback about the transition and concerns, and
3. Get an update from the browsers on what this means for the plan,
noting that we fully commit to the stated deadlines. We're hoping that any
changes
Two things I can say we plan on doing (following closing) to address
concerns are:
a. We plan to segregate certs by type on each root. Going forward, we
will issue all SSL certs from a root while client and email come from
different roots. We also plan on limiting the number of organizations on
each issuing CA. We hope this will help address the "too big to fail" issue
seen with Symantec. By segregating end entities into roots and sub CAs, the
browsers can add affected Sub CAs to their CRL lists quickly and without
impacting the entire ecosystem. This plan is very much in flux, and we'd
love to hear additional recommendations.
b. Another thing we are doing is adding a validation OID to all of our
certificates that identifies which of the BR methods were used to issue the
cert. This way the entire community can readily identify which method was
used when issuing a cert and take action if a method is deemed weak or
insufficient. We think this is a huge improvement over the existing
landscape, and I'm very excited to see that OID rolled out.
If you take over the roots, why continue to keep separate roots for the
former Symantec brands (except as an "old hierarchy used mostly for
their own CRLs and historic relying parties such as certain Microsoft
products")?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
