Re: Final Decision by Google on Symantec

2017-07-28 Thread J.C. Jones via dev-security-policy
I share the desire to move faster than these dates, but upon consideration, I don't think it's much of a boon to web security for Mozilla to be substantially ahead of Chrome in implementing these trust changes. Since Chrome's decision to implement in April is final, their large user population is

Re: Final Decision by Google on Symantec

2017-07-28 Thread Jonathan Rudenberg via dev-security-policy
> On Jul 28, 2017, at 09:34, Alex Gaynor via dev-security-policy > wrote: > > Frankly I was surprised to see Chromium reverse course on this -- they have > a history of aggressive leadership in their handling of CA failures, it's a > little disappointing

Re: Final Decision by Google on Symantec

2017-07-28 Thread okaphone.elektronika--- via dev-security-policy
On Friday, 28 July 2017 08:15:43 UTC+2, Gervase Markham wrote: > Google have made a final decision on the various dates they plan to > implement as part of the consensus plan in the Symantec matter. The > message from blink-dev is included below. > > Most of the dates have consensus - the dates

Re: Final Decision by Google on Symantec

2017-07-28 Thread David E. Ross via dev-security-policy
On 7/28/2017 6:34 AM, Alex Gaynor wrote: > Frankly I was surprised to see Chromium reverse course on this -- they have > a history of aggressive leadership in their handling of CA failures, it's a > little disappointing to see them abandon that. > > I'd strongly advocate for us perusing an

Re: Final Decision by Google on Symantec

2017-07-28 Thread Vincent Lynch via dev-security-policy
Hi Gerv, Thank you for reaching out to the mdsp community. There are valid security reasons to consider a dis-trust date earlier than April 2018 for the corpus of Symantec certs issued prior to June 1st, 2016. However, I also believe there are security and operational risks in complicating the

Re: Final Decision by Google on Symantec

2017-07-28 Thread Alex Gaynor via dev-security-policy
Frankly I was surprised to see Chromium reverse course on this -- they have a history of aggressive leadership in their handling of CA failures, it's a little disappointing to see them abandon that. I'd strongly advocate for us perusing an earlier date -- December 1st at the latest. Reasons: 1)

Re: Final Decision by Google on Symantec

2017-07-28 Thread Jakob Bohm via dev-security-policy
As it stands, aligning with Chrome, plus/minus 14 days would be the best approach. It is of cause regrettable that Symantec managed to delay the decision process until a time when key Mozilla personnel (most notable Gerv) where unavailable, thus allowing Chrome to make the decisions while

Re: Final Decision by Google on Symantec

2017-07-28 Thread wizard--- via dev-security-policy
With respect to the date of distrust of symantec certificates issues before June 1, 2016, I believe Mozilla has a third option: Remove indicators of trust (green lock, etc.) on December 1, 2017 for Symantec certificates issued prior to June 1, 2016 (but do not produce interstitials and do not

Final Decision by Google on Symantec

2017-07-28 Thread Gervase Markham via dev-security-policy
Google have made a final decision on the various dates they plan to implement as part of the consensus plan in the Symantec matter. The message from blink-dev is included below. Most of the dates have consensus - the dates for Symantec to implement the Managed CA infrastructure are agreed by all,