On Thu, Mar 1, 2018 at 8:17 AM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Is it practical to remove the Symantec root certificates and (temporarily) > add the Google and Apple intermediates to the trust store? This should > facilitate removing trust in Symantec without disruption. > > Before we can completely remove the Symantec roots, we need to address email protection (S/MIME) certs. An interim step would be to turn off the websites trust bit. The decision to whitelist specific keys rather than add the intermediates to the trust store was intentional - it allows DigiCert to sign additional whitelisted intermediates during the transition period. > Alex > > On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Are the owners of the Apple and Google subCAs able to announce a date, > > after which they will no longer require their Symantec-issued subCAs to > > be whitelisted? > > > I would also like an answer to this question. Since DigiCert also holds whitelisted keys, I think we need to hear from them as well. > Thanks > > Kai > > - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
