On Mon, Oct 16, 2017 at 10:32 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > As per previous discussions and > https://wiki.mozilla.org/CA:Symantec_Issues, a consensus proposal[0] was > reached among multiple browser makers for a graduated distrust of > Symantec roots. > > Here is Mozilla’s planned timeline for the graduated distrust of > Symantec roots (subject to change): > > * October 2018 (Firefox 63): Removal/distrust of Symantec roots, with > caveats described below. > > However, there are some subCAs of the Symantec roots that are > independently operated by companies whose operations have not been > called into question, and they will experience significant hardship if > we do not provide a longer transition period for them. For both > technical and non-technical reasons, a year is an extremely unrealistic > timeframe for these subCAs to transition to having their certificates > cross-signed by another CA. For example, the subCA may have implemented > a host of pinning solutions in their products that would fail with > non-Symantec-chaining certificates, or the subCA may have large numbers > of devices that would need to be tested for interoperability with any > potential future vendor. And, of course contractual negotiations may > take a significant amount of time.
This pattern also exists for companies that have endpoints which have clients which are pinned to the Symantec-owned roots. These endpoints may also be used by browser clients. It was my understanding that the intent was existing roots would cross sign new managed CAs that would be used for transition. > Add code to Firefox to disable the root such that only certain subCAs > will continue to function. So, the final dis-trust of Symantec roots may > actually involve letting one or two of the root certs remain in > Mozilla’s trust store, but having special code to distrust all but > specified subCAs. We would document the information here: > https://wiki.mozilla.org/CA/Additional_Trust_Changes > And Mozilla would add tooling to the CCADB to track these special subCAs > to ensure proper CP/CPS/audits until they have been migrated and > disabled, and the root certs removed. Mozilla will need to also follow > up with these subCAs to ensure they are moving away from these root > certificates and are getting cross-signed by more than one CA in order > to avoid repeating this situation. Will the new managed CAs, which will operated by DigiCert under CP/CPS/Audit independent from the current Symantec ones, also be included on the list of subCAs that will continue to function? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy