On Tue, Oct 17, 2017 at 5:06 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 16/10/17 20:22, Peter Bowen wrote: > > Will the new managed CAs, which will operated by DigiCert under > > CP/CPS/Audit independent from the current Symantec ones, also be > > included on the list of subCAs that will continue to function? > > AIUI we are still working out the exact configuration of the new PKI but > my understanding is that the new managed CAs will be issued by DigiCert > roots and cross-signed by old Symantec roots. Therefore, they will be > trusted in Firefox using a chain up to the DigiCert roots. Hi Gerv, That doesn't seem to line up with the discussion in https://groups.google.com/d/topic/mozilla.dev.security.policy/_EnH2IeuZtw/discussion to date. Do you have any additional information to share? Note that the path you just described is the one that poses non-trivial risk to the ecosystem, from an interoperability standpoint, and thus may not be desirable. See https://groups.google.com/d/msg/mozilla.dev.security.policy/_EnH2IeuZtw/yr2vSBdhAAAJ and https://groups.google.com/d/msg/mozilla.dev.security.policy/_EnH2IeuZtw/BNR6gJHCBgAJ for further technical details. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
