Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
(Posting in a Google Capacity) I just wanted to notify the members of this Forum that we have started an Intent to Deprecate and Remove, consistent with our Blink process, related to certain certificates issued by Symantec Corporation. This is a proposed plan, not a final commitment, and we welcome all feedback from members of this Forum to understand the risks and challenges. To understand the goals of this process, you can find more details at https://www.chromium.org/blink You can participate in this discussion at https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
On Thursday, March 23, 2017 at 12:09:23 PM UTC-4, Ryan Sleevi wrote: > (Posting in a Google Capacity) > > I just wanted to notify the members of this Forum that we have started an > Intent to Deprecate and Remove, consistent with our Blink process, related to > certain certificates issued by Symantec Corporation. > > This is a proposed plan, not a final commitment, and we welcome all feedback > from members of this Forum to understand the risks and challenges. To > understand the goals of this process, you can find more details at > https://www.chromium.org/blink > > You can participate in this discussion at > https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs What will be the process for critical infrastructure such as medical devices and payment systems when they're affected by this? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
On Thu, Mar 23, 2017 at 12:54 PM, tarah.symantec--- via dev-security-policy wrote: > What will be the process for critical infrastructure such as medical > devices and payment systems when they're affected by this? To avoid fragmentation of discussion, would it be possible to reply to the blink-dev@ list? I totally realize the overhead for participants on either side - Mozilla dev.security.policy members having to post to a different list vs blink-dev members potentially needing to post to this list. We've opted for blink-dev@ in this case, and welcome feedback on how to improve this process in the future. Given the interest and role this community has played in these issues, we wanted to inform and solicit feedback, but we're not quite to the point where the primary discussion would happen on this list. Thanks for understanding ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
On 23/03/2017 17:09, Ryan Sleevi wrote: (Posting in a Google Capacity) I just wanted to notify the members of this Forum that we have started an Intent to Deprecate and Remove, consistent with our Blink process, related to certain certificates issued by Symantec Corporation. This is a proposed plan, not a final commitment, and we welcome all feedback from members of this Forum to understand the risks and challenges. To understand the goals of this process, you can find more details at https://www.chromium.org/blink You can participate in this discussion at https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs According to the linked document, Google is intending to distrust *all* Symantec issued certificates with a validity longer than 9 months, which is less that the 12 month validity normally being the minimum that site operators can purchase from CAs such as Symantec. It is also worth noting that this is apparently scheduled to occur less than 12 months from now (The document refers to Chrome/Blink version numbers with no associated dates, but contains a mention that one of the relevant releases would happen over the "winter holiday", presumably Christmas 2017). Since I know of no commercial (as opposed to free) CAs that routinely sell certificates with a duration of less than 12 months, this seems highly draconian and designed to drive Symantec out of the CA business. It also seems to ignore every mitigating factor discussed in this group, including those posted by Symantec themselves. For example the cited number of "30,000" affected certificates seems to come from the number of certificates that Symantec is actively double checking to ensure they were *not* misissued in a way similar to the original 127. It would seem that the only way to remain interoperable with both Chrome and the legacy devices and systems that trust only Symantec owned roots, would be if Chrome's TLS implementation somehow identified itself to servers as being a Chrome-based implementation before servers present their certificate. The computing world at large would be significantly inconvenienced if Symantec was forced to close down its CA business, in particular the parts of that business catering to other markets than general WebPki certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 23/03/2017 17:09, Ryan Sleevi wrote: > >> (Posting in a Google Capacity) >> >> I just wanted to notify the members of this Forum that we have started an >> Intent to Deprecate and Remove, consistent with our Blink process, related >> to certain certificates issued by Symantec Corporation. >> >> This is a proposed plan, not a final commitment, and we welcome all >> feedback from members of this Forum to understand the risks and challenges. >> To understand the goals of this process, you can find more details at >> https://www.chromium.org/blink >> >> You can participate in this discussion at https://groups.google.com/a/ch >> romium.org/forum/#!topic/blink-dev/eUAKwjihhBs >> >> > According to the linked document, Google is intending to distrust *all* > Symantec issued certificates with a validity longer than 9 months, > which is less that the 12 month validity normally being the minimum > that site operators can purchase from CAs such as Symantec. > > It is also worth noting that this is apparently scheduled to occur less > than 12 months from now (The document refers to Chrome/Blink version > numbers with no associated dates, but contains a mention that one of > the relevant releases would happen over the "winter holiday", > presumably Christmas 2017). > > Since I know of no commercial (as opposed to free) CAs that routinely > sell certificates with a duration of less than 12 months, this seems > highly draconian and designed to drive Symantec out of the CA business. > > It also seems to ignore every mitigating factor discussed in this > group, including those posted by Symantec themselves. > > For example the cited number of "30,000" affected certificates seems to > come from the number of certificates that Symantec is actively double > checking to ensure they were *not* misissued in a way similar to the > original 127. > > It would seem that the only way to remain interoperable with both > Chrome and the legacy devices and systems that trust only Symantec > owned roots, would be if Chrome's TLS implementation somehow identified > itself to servers as being a Chrome-based implementation before servers > present their certificate. > > The computing world at large would be significantly inconvenienced if > Symantec was forced to close down its CA business, in particular the > parts of that business catering to other markets than general WebPki > certificates. (In Google Capacity) By no means do I want to insist you must discuss on blink-...@chromium.org, but I do want to highlight that the process follows our Blink Process for assessing risk, and you're more than welcome and encouraged to share this feedback there to ensure it's considered in relation to the proposed plan for Chrome. If you wish to only address this relative to the Mozilla community, please feel free to do so here, and I in no means want to tell you where or how to do so. I can only state that communication to blink-...@chromium.org is what will inform Google Chrome's approach to this matter. All the best, Ryan ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
On 23/03/2017 20:27, Ryan Sleevi wrote: On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 23/03/2017 17:09, Ryan Sleevi wrote: (Posting in a Google Capacity) I just wanted to notify the members of this Forum that we have started an Intent to Deprecate and Remove, consistent with our Blink process, related to certain certificates issued by Symantec Corporation. This is a proposed plan, not a final commitment, and we welcome all feedback from members of this Forum to understand the risks and challenges. To understand the goals of this process, you can find more details at https://www.chromium.org/blink You can participate in this discussion at https://groups.google.com/a/ch romium.org/forum/#!topic/blink-dev/eUAKwjihhBs According to the linked document, Google is intending to distrust *all* Symantec issued certificates with a validity longer than 9 months, which is less that the 12 month validity normally being the minimum that site operators can purchase from CAs such as Symantec. It is also worth noting that this is apparently scheduled to occur less than 12 months from now (The document refers to Chrome/Blink version numbers with no associated dates, but contains a mention that one of the relevant releases would happen over the "winter holiday", presumably Christmas 2017). Since I know of no commercial (as opposed to free) CAs that routinely sell certificates with a duration of less than 12 months, this seems highly draconian and designed to drive Symantec out of the CA business. It also seems to ignore every mitigating factor discussed in this group, including those posted by Symantec themselves. For example the cited number of "30,000" affected certificates seems to come from the number of certificates that Symantec is actively double checking to ensure they were *not* misissued in a way similar to the original 127. It would seem that the only way to remain interoperable with both Chrome and the legacy devices and systems that trust only Symantec owned roots, would be if Chrome's TLS implementation somehow identified itself to servers as being a Chrome-based implementation before servers present their certificate. The computing world at large would be significantly inconvenienced if Symantec was forced to close down its CA business, in particular the parts of that business catering to other markets than general WebPki certificates. The above message (and one by Symantec) were posted to the mozilla.dev.security.policy newsgroup prior to becoming aware of Google's decision to move the discussion to its own private mailing list and procedures. I would encourage everyone concerned to keep the public Mozilla newsgroup copied on all messages in this discussion, which seems to have extremely wide repercussions. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
(Posting in an official capacity) Jakob, As the initial message said: "You can participate in this discussion at https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs " I've removed the cross-post, to ensure that threads do not fork due to members being subscribed to one list versus the other. I know this is a new approach, and appreciate your understanding as we try to work through the challenges. On Thu, Mar 23, 2017 at 3:54 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 23/03/2017 20:27, Ryan Sleevi wrote: > >> On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> On 23/03/2017 17:09, Ryan Sleevi wrote: >>> >>> (Posting in a Google Capacity) I just wanted to notify the members of this Forum that we have started an Intent to Deprecate and Remove, consistent with our Blink process, related to certain certificates issued by Symantec Corporation. This is a proposed plan, not a final commitment, and we welcome all feedback from members of this Forum to understand the risks and challenges. To understand the goals of this process, you can find more details at https://www.chromium.org/blink You can participate in this discussion at https://groups.google.com/a/ch romium.org/forum/#!topic/blink-dev/eUAKwjihhBs According to the linked document, Google is intending to distrust *all* >>> Symantec issued certificates with a validity longer than 9 months, >>> which is less that the 12 month validity normally being the minimum >>> that site operators can purchase from CAs such as Symantec. >>> >>> It is also worth noting that this is apparently scheduled to occur less >>> than 12 months from now (The document refers to Chrome/Blink version >>> numbers with no associated dates, but contains a mention that one of >>> the relevant releases would happen over the "winter holiday", >>> presumably Christmas 2017). >>> >>> Since I know of no commercial (as opposed to free) CAs that routinely >>> sell certificates with a duration of less than 12 months, this seems >>> highly draconian and designed to drive Symantec out of the CA business. >>> >>> It also seems to ignore every mitigating factor discussed in this >>> group, including those posted by Symantec themselves. >>> >>> For example the cited number of "30,000" affected certificates seems to >>> come from the number of certificates that Symantec is actively double >>> checking to ensure they were *not* misissued in a way similar to the >>> original 127. >>> >>> It would seem that the only way to remain interoperable with both >>> Chrome and the legacy devices and systems that trust only Symantec >>> owned roots, would be if Chrome's TLS implementation somehow identified >>> itself to servers as being a Chrome-based implementation before servers >>> present their certificate. >>> >>> The computing world at large would be significantly inconvenienced if >>> Symantec was forced to close down its CA business, in particular the >>> parts of that business catering to other markets than general WebPki >>> certificates. >>> >> >> >> > The above message (and one by Symantec) were posted to the > mozilla.dev.security.policy newsgroup prior to becoming aware of > Google's decision to move the discussion to its own private mailing > list and procedures. I would encourage everyone concerned to keep the > public Mozilla newsgroup copied on all messages in this discussion, > which seems to have extremely wide repercussions. > > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
On Thu, Mar 23, 2017 at 12:54 PM, Jakob Bohm via dev-security-policy wrote: > > The above message (and one by Symantec) were posted to the > mozilla.dev.security.policy newsgroup prior to becoming aware of > Google's decision to move the discussion to its own private mailing > list and procedures. I would encourage everyone concerned to keep the > public Mozilla newsgroup copied on all messages in this discussion, > which seems to have extremely wide repercussions. Jakob, Maybe I missed it, but I don't think that Mozilla is involved in this proposal. The blink-dev mailing list has an open membership policy and public anonymously accessible archives. Obviously anyone can copy m.d.s.p, as it doesn't have posting restrictions, but it seems reasonable that Chrom(ium|e)-only discussions would be on a chromium mailing list. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates
On 23/03/17 19:54, Jakob Bohm wrote: > The above message (and one by Symantec) were posted to the > mozilla.dev.security.policy newsgroup prior to becoming aware of > Google's decision to move the discussion to its own private mailing > list and procedures. I would encourage everyone concerned to keep the > public Mozilla newsgroup copied on all messages in this discussion, > which seems to have extremely wide repercussions. Actually, could I encourage everyone _not_ to do that? Ryan has requested this discussion happen on the blink-dev list. Not everyone who is a member here is a member there, or vice versa, and attempting to have the discussion across both lists is likely to lead to significant fragmentation and confusion. Thanks, Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy