Hi Jakob, Your below description raises two questions of general interest (though not of interest to the Mozilla root program):
1. Will DigiCert establish cross-signatures from the old/historic Symantec roots to continuing DigiCert roots and subCAs? [JR] We won’t be cross-signing from DigiCert to Symantec. For cross-signs the other way, we plan on supporting the community’s needs and would love to hear more online and offline about what cross-signs to DigiCert are needed for compatibility and interoperability. Mozilla proposed distrusting Symantec’s roots in 2018 so we’ll work towards that goal. Once it’s removed, the one-way trust from Symantec to DigiCert will fall out of scope. Prior to that, the cross-sign will be operated per the BRs and subject to the Google and Mozilla proposals. 2. Will DigiCert continue those Symantec services that were not trusted by Mozilla/Google and which have no functional alternative elsewhere. This includes a number of situations where Microsoft and other companies are enforcing that things are signed exclusively by specific Symantec issuance systems. Known examples include: The original SHA-1 time stamping service for code signing (needed for compatibility with older Windows and Internet Explorer versions). The special signing portal for Windows Mobile (the original product line, not the new renamed Windows 10 Phone product line). The "hosted" signing service for Android Apps. Possibly any remnants of the Geotrust-based services for the old Nokia platforms (Symbian S60 etc.). Etc. [JR] As you mentioned, none of these are trusted by Mozilla or Google so that discussion is better held elsewhere. However, I can say that we plan to support Symantec communities to the extent possible. The only planned deprecation is the Symantec publicly-trusted Web PKI. Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy