RE: DigiCert-Symantec Announcement

Hi everyone, We met the December 1 deadline of integrating with Symantec systems, and all validation and issuance of TLS certificates is currently flowing through DigiCert’s backend. Initial results appear generally positive, with the validation staff processing orders and delivering

Re: DigiCert-Symantec Announcement

Clearly there has to be a way for key compromises to be remedied. If I've been following this pinning discussion correctly it seems unavoidable that we will have cases requiring certs to be issued on the

RE: DigiCert-Symantec Announcement

gt; Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org; Jeremy Rowley <jeremy.row...@digicert.com> Subject: Re: DigiCert-Symantec Announcement On Sun, Sep 24, 2017 at 12:40 PM, Peter Bowen <pzbo...@gmail.com <mailto:pzbo...@gmail.com>

Re: DigiCert-Symantec Announcement

On 28.09.17 19:06, Gervase Markham via dev-security-policy wrote: > On 26/09/17 03:17, Ryan Sleevi wrote: >> update in a year, are arguably outside of the scope of ‘reasonable’ use >> cases - the ecosystem itself has shown itself to change on at least that >> frequency. > > Is "1 year" not a

Re: DigiCert-Symantec Announcement

Hi Gerv, > On 28. Sep 2017, at 19:06, Gervase Markham via dev-security-policy > wrote: > > Is "1 year" not a relatively common (for some value of "common") setting > for HPKP timeouts for sites which think they have now mastered HPKP? We did a

Re: DigiCert-Symantec Announcement

On 26/09/17 03:17, Ryan Sleevi wrote: > update in a year, are arguably outside of the scope of ‘reasonable’ use > cases - the ecosystem itself has shown itself to change on at least that > frequency. Is "1 year" not a relatively common (for some value of "common") setting for HPKP timeouts for

Re: DigiCert-Symantec Announcement

On Fri, Sep 22, 2017 at 6:22 AM, Nick Lamb via dev-security-policy wrote: > On Friday, 22 September 2017 05:01:03 UTC+1, Peter Bowen wrote: >> I realize this is somewhat more complex than what you, Ryan, or Jeremy >> proposed, but it the only way I see root

Re: DigiCert-Symantec Announcement

On Friday, 22 September 2017 05:01:03 UTC+1, Peter Bowen wrote: > I realize this is somewhat more complex than what you, Ryan, or Jeremy > proposed, but it the only way I see root pins working across both > "old" and "new" trust stores. I would suggest that a better way to spend the remaining

Re: DigiCert-Symantec Announcement

On Thu, Sep 21, 2017 at 7:17 PM, Ryan Sleevi via dev-security-policy wrote: > I think we can divide the discussion into two parts, similar to the > previous mail: How to effectively transition Symantec customers with > minimum disruption, whether acting as

Re: DigiCert-Symantec Announcement

obal > root will be only transitory, meaning we’d hope customers would migrate to > the DigiCert roots once the systems requiring a specific Symantec roots are > deprecated or as path validation errors arise. > > > > Jeremy > > > > > > From: Ryan Sleevi [mailto

RE: DigiCert-Symantec Announcement

ty-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On Tue, Sep 19, 2017 at 8:39 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > The current end-state plan for root cross-signing is provided at > https://bugzilla.mozill

Re: DigiCert-Symantec Announcement

On Tue, Sep 19, 2017 at 8:39 PM, Jeremy Rowley via dev-security-policy wrote: > > The current end-state plan for root cross-signing is provided at > https://bugzilla.mozilla.org/show_bug.cgi?id=1401384. The diagrams there show > all of the existing sub CAs

Re: DigiCert-Symantec Announcement

Hi Jeremy, Is DigiCert planning on continuing selling DV certificates after the transition? As DigiCert has previously been vocal on the fact that the drawbacks of issuing DV certificates outweigh the benefits as stated here: https://www.digicert.com/dv-ssl-certificate.htm. If DigiCert is

RE: DigiCert-Symantec Announcement

ty-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Hi everyone, Today, DigiCert and Symantec annou

RE: DigiCert-Symantec Announcement

, 2017 1:28 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:

Re: DigiCert-Symantec Announcement

On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi everyone, > > > > Today, DigiCert and Symantec announced that DigiCert is acquiring the > Symantec CA assets, including the infrastructure, personnel, roots, and > platforms.

Re: DigiCert-Symantec Announcement

I think the plan at the root level makes sense and is reasonable, at least as far as I think I understand it. (A diagram would be nice.)‎ At the intermediate level, however, I think more detail is needed. I'm

RE: [EXT] Re: DigiCert-Symantec Announcement

t; To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT] Re: DigiCert-Symantec Announcement > > a small question: > what's going to happen with [freessl.com] > > under Symantec's leadership it was intended for the site to become a free > alternative to StartCom and L

Re: DigiCert-Symantec Announcement

a small question: what's going to happen with https://www.freessl.com/ ? under Symantec's leadership it was intended for the site to become a free alternative to StartCom and LetsEncrypt, but it was not quite opened for issuance except for non-profits. Now with the transition of the CA

RE: DigiCert-Symantec Announcement

eciate your thoughts. Jeremy From: Peter Kurrasch [mailto:fhw...@gmail.com] Sent: Thursday, August 3, 2017 11:21 PM To: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: DigiCert-Symantec Announ

Re: DigiCert-Symantec Announcement

I agree with the high-level concepts, although I would probably like to add something about "being good stewards of technologies that play a critical role in the global economy." (Feel free to use your own

RE: DigiCert-Symantec Announcement

: Wednesday, August 2, 2017 8:01 PM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: DigiCert-Symantec Announcement This certainly shakes things up! I've had my concerns that Symantec's plan was complicated and risky, but now I'm wondering if this ne

RE: DigiCert-Symantec Announcement

-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Santhan Raj via dev-security-policy Sent: Thursday, August 3, 2017 1:36 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On Wednesday, August 2, 2017 at 6:44:51 PM UTC-7

RE: DigiCert-Symantec Announcement

sts.mozilla.org> > Subject: RE: DigiCert-Symantec Announcement > * Will there be other players in Symantec's SubCA plan or is DigiCert > the only one? > > > > [DC] Only DigiCert. Jeremy - It's my understanding that as of December 1st every certificate issued by Sy

Re: DigiCert-Symantec Announcement

On 02/08/2017 23:12, Jeremy Rowley wrote: Hi everyone, Today, DigiCert and Symantec announced that DigiCert is acquiring the Symantec CA assets, including the infrastructure, personnel, roots, and platforms. At the same time, DigiCert signed a Sub CA agreement wherein we will validate and

Re: DigiCert-Symantec Announcement

I believe all of the non expired CAs listed are in scope. > On Aug 2, 2017, at 7:44 PM, Peter Bowen wrote: > > On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy > wrote: >> Today, DigiCert and Symantec announced that

RE: DigiCert-Symantec Announcement

ail.com>; mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: RE: DigiCert-Symantec Announcement > * Will there be other players in Symantec's SubCA plan or is DigiCert the only > one? > > > > [DC] Only DigiCert. Jeremy - It's my u

Re: DigiCert-Symantec Announcement

On Wednesday, August 2, 2017 at 6:44:51 PM UTC-7, Peter Bowen wrote: > On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy > wrote: > > Today, DigiCert and Symantec announced that DigiCert is acquiring the > > Symantec CA assets, including

Re: DigiCert-Symantec Announcement

Hi Jeremy, Will the certificates being issued for Symantec starting December 1st be issued under the existing DC roots, or under new roots? Alex On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi everyone, > > > > Today,

Re: DigiCert-Symantec Announcement

Peter Bowen writes: >Gerv's email was clear that sale to DigiCert will not impact the plan, >saying: "any change of control of some or all of Symantec's roots would not >be grounds for a renegotiation of these dates." > >So the sanctions are still intact. Ah, I phrased my

Re: DigiCert-Symantec Announcement

On Wed, Aug 2, 2017 at 8:10 PM, Peter Gutmann via dev-security-policy wrote: > Jeremy Rowley via dev-security-policy > writes: > >>Today, DigiCert and Symantec announced that DigiCert is acquiring the >>Symantec CA

Re: DigiCert-Symantec Announcement

Jeremy Rowley via dev-security-policy writes: >Today, DigiCert and Symantec announced that DigiCert is acquiring the >Symantec CA assets, including the infrastructure, personnel, roots, and >platforms. I realise this is a bit off-topic for the list but

RE: DigiCert-Symantec Announcement

* Will there be other players in Symantec's SubCA plan or is DigiCert the only one? [DC] Only DigiCert. * ‎Is DigiCert prepared (yet?) to commit to a "first day of issuance" under the SubCA plan? That is, when is the earliest date that members of the general public may purchase

Re: DigiCert-Symantec Announcement

This certainly shakes things up! I've had my concerns that Symantec's plan was complicated and risky, but now I'm wondering if this new path will be somewhat simpler--yet even more risky? I'm not suggesting we

Re: DigiCert-Symantec Announcement

On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy wrote: > Today, DigiCert and Symantec announced that DigiCert is acquiring the > Symantec CA assets, including the infrastructure, personnel, roots, and > platforms. At the same time,

RE: DigiCert-Symantec Announcement

Lamb via dev-security-policy Sent: Wednesday, August 2, 2017 4:57 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On the use of OIDs to signify the Blessed Method used for validation I thought it can't hurt to mention the first obstacle for this idea

RE: DigiCert-Symantec Announcement

+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson via dev-security-policy Sent: Wednesday, August 2, 2017 4:07 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On Wednesday, August 2, 2017 at 2:13:40 PM UTC-7, Jeremy Rowley

Re: DigiCert-Symantec Announcement

On Wednesday, August 2, 2017 at 2:13:40 PM UTC-7, Jeremy Rowley wrote: > Today, DigiCert and Symantec announced that DigiCert is acquiring the > Symantec CA assets, including the infrastructure, personnel, roots, and > platforms. At the same time, DigiCert signed a Sub CA agreement wherein we >

DigiCert-Symantec Announcement

Hi everyone, Today, DigiCert and Symantec announced that DigiCert is acquiring the Symantec CA assets, including the infrastructure, personnel, roots, and platforms. At the same time, DigiCert signed a Sub CA agreement wherein we will validate and issue all Symantec certs as of Dec 1, 2017.