Re: Symantec meeting and status

[Vincent Lynch via dev-security-policy]

Hi Gerv,

I interpreted your wording as meaning that Symantec will be publicly posting a 
new document (presumably to this list or blink-dev). Is this accurate?

If so, do you (or anyone else at Mozilla, since your vacation has now started) 
know when Symantec plans on doing so?

-Vincent


On Monday, July 3, 2017 at 10:20:31 AM UTC-4, Gervase Markham wrote:
> Hi everyone,
> 
> As I was in the Bay Area for the Mozilla All Hands, Symantec requested a
>...
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Symantec meeting and status

[Loshin, Peter via dev-security-policy]

Thank you, Gerv (and have a great vacation!)

Best,
Peter


-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org] 
Sent: Monday, July 03, 2017 12:21 PM
To: Loshin, Peter; mozilla-dev-security-pol...@lists.mozilla.org
Cc: pr...@mozilla.com; Justin O'Kelly
Subject: Re: Symantec meeting and status

Hi Peter,

I note you have copied in our press team and that you are a journalist; I will 
answer your question as I would the same question from any member of our 
community here if it were asked in this forum.

On 03/07/17 16:54, Loshin, Peter wrote:
> Other than stating that it will be publishing its proposal for 
> implementing the consensus remediation plan, did Symantec provide any 
> other information about its progress?

Yes, they did. However, it seems unnecessary to document all that here, as the 
meat of what they told me should end up in their implementation proposal.

Due to my upcoming holiday starting just before their planned publication date, 
they may choose to share a not-final draft of the proposal with me privately, 
which I will comment on (if I have time) in a non-binding fashion. This is not 
to pre-judge the proposal, but to speed the process and try and make sure the 
proposal contains everything necessary to evaluate it. As always, we will be 
coming to our position in consultation with our community here.

> Did Symantec offer any other
> information that you are able to share? Any other information that you 
> are _not_ able to share?

Our general principle for such meetings, consistent with Mozilla's desire to 
run our root program in an open and transparent fashion, is that we will not 
promise confidentiality up front, although we will honour reasonable requests 
for it on a case-by-case basis. We treat all CAs and all meetings equally in 
this regard.

In this case, the only information Symantec gave me which we agreed not to 
reveal was the names of the particular companies they were considering as CA 
partners. No doubt their implementation plan will show who they eventually 
choose.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Symantec meeting and status

[Gervase Markham via dev-security-policy]

Hi Peter,

I note you have copied in our press team and that you are a journalist;
I will answer your question as I would the same question from any member
of our community here if it were asked in this forum.

On 03/07/17 16:54, Loshin, Peter wrote:
> Other than stating that it will be publishing its proposal for
> implementing the consensus remediation plan, did Symantec provide any
> other information about its progress? 

Yes, they did. However, it seems unnecessary to document all that here,
as the meat of what they told me should end up in their implementation
proposal.

Due to my upcoming holiday starting just before their planned
publication date, they may choose to share a not-final draft of the
proposal with me privately, which I will comment on (if I have time) in
a non-binding fashion. This is not to pre-judge the proposal, but to
speed the process and try and make sure the proposal contains everything
necessary to evaluate it. As always, we will be coming to our position
in consultation with our community here.

> Did Symantec offer any other
> information that you are able to share? Any other information that
> you are _not_ able to share?

Our general principle for such meetings, consistent with Mozilla's
desire to run our root program in an open and transparent fashion, is
that we will not promise confidentiality up front, although we will
honour reasonable requests for it on a case-by-case basis. We treat all
CAs and all meetings equally in this regard.

In this case, the only information Symantec gave me which we agreed not
to reveal was the names of the particular companies they were
considering as CA partners. No doubt their implementation plan will show
who they eventually choose.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Symantec meeting and status

[Loshin, Peter via dev-security-policy]

Hi Gerv:

Thank you for posting this update on last week's meeting with Symantec.

Are you able to share any additional information about what transpired at this 
meeting?

Other than stating that it will be publishing its proposal for implementing the 
consensus remediation plan, did Symantec provide any other information about 
its progress? Did Symantec offer any other information that you are able to 
share? Any other information that you are _not_ able to share?

Again, thank you for your work on improving browser security.

Best,
Peter


Peter Loshin
Site Editor, Security Media Group

Twitter: @PeterLoshin
+1 617/431-9819
TechTarget
Where Serious Technology Buyers Decide
http://www.techtarget.com

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Symantec meeting and status

[Gervase Markham via dev-security-policy]

Hi everyone,

As I was in the Bay Area for the Mozilla All Hands, Symantec requested a
face-to-face meeting with Mozilla, which happened last Friday. In
attendance were Tom Ritter, Aaron Wu and I for Mozilla, and the
following people from Symantec (I hope I have the titles right):

* Quentin Liu (Head of Engineering for Website Security)
* Roxane DeVol (General Manager of Website Security)
* Hugh Thomson (CTO of Symantec Corporate)
* Michael Klieman (VP Product Management of Website Security)

Symantec asked for the meeting to update us on their progress in finding
a CA partner or partners to work with them in implementing the consensus
remediation plan, which as you will know involves them passing off
issuance to a third party while they stand up a new PKI on new,
best-practice infrastructure.

We expect Symantec, at the end of this week or early next week, to
publish a document giving their proposal for how they will implement the
plan, including a set of milestone dates with justification for how they
are reached. They will also give some indications of ways the plan might
be modified to alter the dates - e.g. "if we do X instead of Y, we can
do it N weeks faster". After that, we need to get agreement by all the
parties to form of the final plan and some attached dates, and then
Symantec can sign contracts and start executing the plan. We hope to
reach this agreement swiftly.

However, the fly in the ointment is that I am going on holiday for 3
weeks from Friday. I am working occasional days during that time, but I
will be relying on members of this group to be analysing and considering
Symantec's proposal.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy