On Tue, Oct 17, 2017 at 2:06 AM, Gervase Markham <g...@mozilla.org> wrote: > On 16/10/17 20:22, Peter Bowen wrote: >> Will the new managed CAs, which will operated by DigiCert under >> CP/CPS/Audit independent from the current Symantec ones, also be >> included on the list of subCAs that will continue to function? > > AIUI we are still working out the exact configuration of the new PKI but > my understanding is that the new managed CAs will be issued by DigiCert > roots and cross-signed by old Symantec roots. Therefore, they will be > trusted in Firefox using a chain up to the DigiCert roots.
Gerv, I'm hoping you can clarify the Mozilla position a little, given a hypothetical. For this, please assume that DigiCert is the owner and operator of the VeriSign, Thawte, and GeoTrust branded roots currently included in NSS and that they became the owner and operator on 15 November 2017 (i.e. unquestionably before 1 December 2017). If DigiCert generates a new online issuing CA on 20 March 2018 and cross-signs it using their VeriSign Class 3 Public Primary Certification Authority - G5 offline root CA, will certificates from this new issuing CA be trusted by Firefox? If so, what are the parameters of trust, for example not trusted until the new CA is whitelisted by Mozilla or only trusted until a certain date? What about the same scenario except the new issuing CA is generated on 30 June 2019? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
