Your below description raises two questions of general interest (though
not of interest to the Mozilla root program):
1. Will DigiCert establish cross-signatures from the old/historic
Symantec roots to continuing DigiCert roots and subCAs?
2. Will DigiCert continue those Symantec services that were not trusted
by Mozilla/Google and which have no functional alternative elsewhere.
This includes a number of situations where Microsoft and other
companies are enforcing that things are signed exclusively by specific
Symantec issuance systems. Known examples include: The original SHA-1
time stamping service for code signing (needed for compatibility with
older Windows and Internet Explorer versions). The special signing
portal for Windows Mobile (the original product line, not the new
renamed Windows 10 Phone product line). The "hosted" signing service
for Android Apps. Possibly any remnants of the Geotrust-based
services for the old Nokia platforms (Symbian S60 etc.). Etc.
NOTICE TO SOME READERS: Please read the first paragraph of this mail!
On 14/08/2017 06:03, Jeremy Rowley wrote:
Hi wizard,
Although DigiCert will acquire the assets related to Symantec’s CA business,
DigiCert is not required to use those assets in its business operations. We
are organizing the operations of DigiCert to meet the requirements established
in the Managed CA proposal. This includes having all validation and issuance
performed through DigiCert’s existing PKI and using DigiCert processes
accompanied by DigiCert leadership.
Our interpretation of the Google and Mozilla requirements is similar to yours –
that the goal is to migrate from Symantec’s existing PKI to a third party while
implementing systematic and operational controls over the issuing and
validation processes. Post close, we plan to continue towards these objectives
using the path adopted by the browsers in the Managed CA process. This path
includes regular audits during the transition, a migration away from Symantec’s
issuing and validation systems, and implementation of operational controls to
prevent mis-issuance. Our plan is to transition completely away from the
Symantec issuance platform and validation processes by December 1 and work
towards the distrust dates set by Mozilla for the end of 2018.
The Managed CA requirements seemed designed to (1) give Symantec time to
reengineer processes and systems and (2) work towards rebuilding trust in the
Symantec’s operations. The acquisition eliminates the need to reengineer the
process and makes the question of restoring trust moot. With only DigiCert
performing the validation and operating the CA, the risks identified to be
fixed by the Managed CA proposal are remediated as of closing.
Of course, we’re always open to feedback and additional ideas on how to build
community trust. Feel free to message us or submit follow-up questions and
ideas about how we can answer the community’s concerns.
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org]
On Behalf Of wizard--- via dev-security-policy
Sent: Friday, August 11, 2017 9:12 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Symantec Update on SubCA Proposal
Steve,
Thank you for responding relatively promptly (at least as compared to previous
Symantec responses) to Devon's questions.
However, these responses seem to imply that a side effect of the sale *is* to
skirt the remediation requirements imposed by Google and Mozilla.
In particular, the agreed upon plan requires issuance (and information
verification) by a managed SubCA that does *not* involve Symantec processes,
equipment, personnel, etc., until trust in those equipment, people, and
processes is established.
if Digicert were *not* acquiring any of the equipment/personnel/processes from
Symantec, only the customers, this would seem to meet the spirit and letter of
the Symantec remediation plan.
However, the publicly announced details of the acquisition [Devon ref. 2]
explicitly state that equipment and personnel will be transferred from Symantec
to Digicert. Combined with the answers below, this means that as soon as the
deal closes and this transfer occurs, there is no barrier to the
formerly-Symantec-but-now-Digicert equipment and personnel from immediately
assisting in the issuance of new certificates (presumably under the Digicert
roots). This seems to go against the spirit (and possibly letter) of the
remediation plan, which was designed to prevent the bad practices within the
existing Symantec CA organization from being involved in further issuances
until a level of trust could be demonstrated.
Perhaps you or Digicert could clarify why you believe the above to not be the
case.
Thank you.
On Friday, August 11, 2017 at 8:32:33 PM UTC-4, Steve Medin wrote:
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-
bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of
Devon O'Brien via dev-security-policy
Sent: Wednesday, August 09, 2017 12:24 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: [EXT] Re: Symantec Update on SubCA Proposal
Hello m.d.s.p.,
I'd just like to give the community a heads up that Chrome’s plan
remains to put up a blog post echoing our recent announcement on
blink-dev [1], but in the meantime, we are reviewing the facts
related to Symantec’s sale of their PKI business to DigiCert [2].
Recently, it has come to our attention that Symantec may have
selected DigiCert from the RFP process to become a Managed CA
Partner. As defined in Google’s first Managed CA proposal [3], then
supported by Symantec’s commitment to “[cover] all aspects of the
SubCA proposal” [4], and finally reiterated in Google’s final
proposal [1], the requirement has always been that the Managed
Partner Infrastructure be operated by an independent and
non-affiliated CA while Symantec worked to rebuild the web community's
confidence.
Based on this information, we have a series of questions that we’d
like Symantec to address for public discussion:
1. Just to confirm, Did Symantec select DigiCert to be Managed CA
Partner under the RFP process? If so, in light of DigiCert’s
acquisition of Symantec’s PKI business and Symantec’s substantial
equity investment in DigiCert, can you explain how you believe
selecting DigiCert as the Managed CA Partner meets the stated
requirement of being an independent and non-affiliated organization?
Before we initiated our SubCA RFP process in May, Google provided Symantec with
a list of Certificate Authorities, including DigiCert, which met the
eligibility requirements of a Managed CA under the SubCA proposal. Symantec
conducted a thorough SubCA RFP process and believes DigiCert can credibly meet
browser requirements and timelines.
Symantec decided it was in the best interests of all of its stakeholders to
sell its Website Security and related PKI solutions to DigiCert. To ensure
business continuity for customers, Symantec entered into a SubCA arrangement
with DigiCert simultaneous with entry into the definitive acquisition agreement
to account for the possibility that the acquisition may not close by December
1, 2017.
Regardless of whether the acquisition closes before December 1, 2017 or not,
there is never a circumstance under which DigiCert will be an 'affiliate' of
Symantec with respect to acting as Symantec's Managed CA under the SubCA
proposal. Symantec currently has no ownership interest in or ability
(contractual or otherwise) to control the operations of DigiCert, nor does
either party otherwise constitute an 'affiliate' of the other, as such term is
defined in the CA-Browser Forum Baseline Requirements (v 1.4.9).
At the closing of the acquisition, Symantec is being paid in both cash and
stock, with the latter comprising a 30% ownership interest in the common equity
of DigiCert, which allows for Symantec stockholders to benefit from the
potential value created by the DigiCert business after the closing. This
minority ownership position, which shall not be received by Symantec until the
closing of the acquisition, represents a financial investment in DigiCert.
This financial investment does not give Symantec control over DigiCert's CA
technology, operations or business, and therefore we believe that it satisfies
the spirit of the non-affiliate status that the browser community was seeking
to achieve through the SubCA proposal.
It is Symantec's understanding that all certificates issued by DigiCert on or
after December 1, 2017 and the closing of the acquisition will chain to
DigiCert's existing public roots. If the acquisition closes before December 1,
2017, then no certificates will ever be issued by DigiCert as a Managed CA of
Symantec because DigiCert will not be issuing certificates under a new ICA that
chains to a new Symantec PKI. Rather, in this instance, certificates will
either (i) be issued off of Symantec’s existing PKI, which is permitted under
the SubCA proposal until November 30, 2017, or (ii) be issued off of DigiCert’s
existing PKI. The actual timing of the acquisition closing relative to the
parties’ operational integration planning schedule will determine whether
certificates are issued under both scenarios or just the latter.
If the acquisition does not close before December 1, 2017, then DigiCert has
agreed to serve as Symantec's Managed CA partner as of December 1, 2017, but
will not be an 'affiliate' during this pre-closing period for the reasons
explained above.
2. Were any additional CAs selected to be a Managed CA Partner from
the list of trusted CAs that Symantec “felt best met the browser requirements”?
There were no additional CAs selected to be a Managed CA partner. Symantec
conducted a thorough SubCA RFP process and believes DigiCert can credibly meet
browser requirements and timelines.
Although we believe the DigiCert transaction achieves the goals of Google and
Mozilla and the extended browser community (transition away from Symantec's
existing PKI and issuance platform to one that is accepted by browsers) as well
as our own goals (minimize customer disruption), there are important
differences between this sale transaction and the SubCA proposal. Under the
SubCA proposal, Symantec SSL/TLS certificates would be issued through one or
more independently operated third-party CAs – under an ICA that chains to a new
private PKI issued by Symantec and which is cross-signed by Symantec's existing
PKI – until Symantec developed and deployed a modernized PKI platform that is
accepted into trust stores. After the closing of the DigiCert acquisition, our
customers will be issued SSL/TLS certificates from DigiCert’s existing PKI and
platform, which is currently available and publicly trusted by all browsers.
Symantec decided it was in the best interests of all of its stakeholders to
sell its Website Security and related PKI solutions to DigiCert because this
transaction accelerates the transition for our customers to an existing PKI
platform at DigiCert that meets all industry standards and browser
requirements, ensuring continuity for our customers and providing a foundation
for continued innovation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy