On Thu, Mar 1, 2018 at 4:45 PM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 01.03.2018 18:45, Ryan Sleevi via dev-security-policy wrote: > >> > >> The point of my question is to clarify, if the DigiCert transition Roots > >> are completely separate from the Apple/Google subCA whitelisting > >> requirements. > >> > > > > I'm not sure how to interpret the Apple/Google question, but yes, they > are > > treated as completely separate. > > I'm trying to have a clearer understanding about "who needs what". > > Let me reword it. > > Google requests that certain subCA SPKIs are whitelisted, to ensure > continued trust of Symantec-issued certificates that are used by > infrastructure that is operated by Google. > > Is whitelisting the SPKI found in the Google subCA sufficient to achieve > the need of trusting Google's server infrastructure? > > I assume the answer is yes. If I'm right, and the answer is "yes", then > it means that whitelisting the SPKIs from the DigiCert transition Roots > isn't required for Google's servers. It's required for continued trust > of other, non-Google server systems. > > Or rephrasing again: There are no Google servers that use certificates > from DigiCert's Managed Partner Infrastructure. > > I further assume that it's possible to replace the word Google with the > word Apple in all previous paragraphs, and the statements are still > correct. Gotcha. I can't personally speak to that, then - that's up to Apple and Google's PKI teams - but: 1) I'm not aware of it 2) But it's also not prohibited. The solution was designed to accommodate that case if they should need. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
