On Thu, Mar 1, 2018 at 11:14 AM, Kai Engert <k...@kuix.de> wrote: > Hello Ryan, > > thanks again for this response. The situation appears very complex. I > might follow up with a couple of clarification questions, that are > hopefully simple to answer. Let me start with this one: > > Chromium will whitelist the SPKIs of a "CN=DigiCert Transition ECC Root" > and a "CN=DigiCert Transition RSA Root" certificate, as found in this > directory: > https://chromium.googlesource.com/chromium/src/+/master/net/ > data/ssl/symantec/managed > > Are there any Apple systems, servers, infrastructure, devices, that rely > on any of these DigiCert transition Root CAs? > > Are there any Google systems, servers, infrastructure, devices, that > rely on any of these DigiCert transition Root CAs? > > The point of my question is to clarify, if the DigiCert transition Roots > are completely separate from the Apple/Google subCA whitelisting > requirements. >
I'm not sure how to interpret the Apple/Google question, but yes, they are treated as completely separate. The distinction here between the "Managed Sub-CA" and "Independently Operated Sub-CA" goes back to the announced Managed Partner Infrastructure plan. The Managed Sub-CAs have requirements imposed on them (such as CT or audit frequency), as part of the risk-mitigation for the Managed Partner Infrastructure plan, that the IOSCs did not. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy