On Tue, Mar 13, 2018 at 8:36 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote: > > Wayne and I have posted a Mozilla Security Blog regarding the current > > plan for distrusting the Symantec TLS certs. > > > > https://blog.mozilla.org/security/2018/03/12/distrust- > symantec-tls-certificates/ > > Hello Kathleen and Wayne, > > the blog post says, the subCAs controlled by Apple and Google are the > ONLY exceptions. > > However, the Mozilla Firefox code also treats certain DigiCert subCAs as > exceptions. > > Based on Ryan Sleevi's recent comments on this list, I had concluded > that the excluded DigiCert subCAs are used to support companies other > than Apple and Google. Is my understanding right or wrong? > I think your understanding is incorrect. The DigiCert SubCAs are being treated as part of the Managed Partner Infrastructure (aka the consensus plan), and the (cross-signed DigiCert Roots) are excluded to avoid path building issues in Firefox. That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan referred to - what else could it be? > Are Apple and Google really the only beneficials of the exceptions, or > should the blog post get updated to mention the additional exceptions? > Do you think the above clarifies? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy