Hi everyone,
We met the December 1 deadline of integrating with Symantec systems, and all
validation and issuance of TLS certificates is currently flowing through
DigiCert’s backend. Initial results appear generally positive, with the
validation staff processing orders and delivering
Clearly there has to be a way for key compromises to be remedied. If I've been following this pinning discussion correctly it seems unavoidable that we will have cases requiring certs to be issued on the
gt;
Cc: Ryan Sleevi <r...@sleevi.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Jeremy Rowley
<jeremy.row...@digicert.com>
Subject: Re: DigiCert-Symantec Announcement
On Sun, Sep 24, 2017 at 12:40 PM, Peter Bowen <pzbo...@gmail.com
<mailto:pzbo...@gmail.com>
On 28.09.17 19:06, Gervase Markham via dev-security-policy wrote:
> On 26/09/17 03:17, Ryan Sleevi wrote:
>> update in a year, are arguably outside of the scope of ‘reasonable’ use
>> cases - the ecosystem itself has shown itself to change on at least that
>> frequency.
>
> Is "1 year" not a
Hi Gerv,
> On 28. Sep 2017, at 19:06, Gervase Markham via dev-security-policy
> wrote:
>
> Is "1 year" not a relatively common (for some value of "common") setting
> for HPKP timeouts for sites which think they have now mastered HPKP?
We did a
On 26/09/17 03:17, Ryan Sleevi wrote:
> update in a year, are arguably outside of the scope of ‘reasonable’ use
> cases - the ecosystem itself has shown itself to change on at least that
> frequency.
Is "1 year" not a relatively common (for some value of "common") setting
for HPKP timeouts for
On Fri, Sep 22, 2017 at 6:22 AM, Nick Lamb via dev-security-policy
wrote:
> On Friday, 22 September 2017 05:01:03 UTC+1, Peter Bowen wrote:
>> I realize this is somewhat more complex than what you, Ryan, or Jeremy
>> proposed, but it the only way I see root
On Friday, 22 September 2017 05:01:03 UTC+1, Peter Bowen wrote:
> I realize this is somewhat more complex than what you, Ryan, or Jeremy
> proposed, but it the only way I see root pins working across both
> "old" and "new" trust stores.
I would suggest that a better way to spend the remaining
On Thu, Sep 21, 2017 at 7:17 PM, Ryan Sleevi via dev-security-policy
wrote:
> I think we can divide the discussion into two parts, similar to the
> previous mail: How to effectively transition Symantec customers with
> minimum disruption, whether acting as
the agreement closes prior to Dec 1, the Managed CA will never exist.
> Instead, all issuance will occur through one of the three primary DigiCert
> roots mentioned above with the exception of customers required to use a
> Symantec root for certain platforms or pinning. The cross-signed Gl
ty-pol...@lists.mozilla.org
Subject: Re: DigiCert-Symantec Announcement
On Tue, Sep 19, 2017 at 8:39 PM, Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
>
> The current end-state plan for root cross-signing is provided at
> https://bugzilla.mozill
On Tue, Sep 19, 2017 at 8:39 PM, Jeremy Rowley via dev-security-policy
wrote:
>
> The current end-state plan for root cross-signing is provided at
> https://bugzilla.mozilla.org/show_bug.cgi?id=1401384. The diagrams there show
> all of the existing sub CAs
Hi Jeremy,
Is DigiCert planning on continuing selling DV certificates after the
transition? As DigiCert has previously been vocal on the fact that the
drawbacks of issuing DV certificates outweigh the benefits as stated here:
https://www.digicert.com/dv-ssl-certificate.htm. If DigiCert is
ty-pol...@lists.mozilla.org
Subject: Re: DigiCert-Symantec Announcement
On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org> > wrote:
Hi everyone,
Today, DigiCert and Symantec annou
, 2017 1:28 PM
To: Jeremy Rowley <jeremy.row...@digicert.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DigiCert-Symantec Announcement
On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:
On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi everyone,
>
>
>
> Today, DigiCert and Symantec announced that DigiCert is acquiring the
> Symantec CA assets, including the infrastructure, personnel, roots, and
> platforms.
I think the plan at the root level makes sense and is reasonable, at least as far as I think I understand it. (A diagram would be nice.) At the intermediate level, however, I think more detail is needed. I'm
t; To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: [EXT] Re: DigiCert-Symantec Announcement
>
> a small question:
> what's going to happen with [freessl.com]
>
> under Symantec's leadership it was intended for the site to become a free
> alternative to StartCom and L
a small question:
what's going to happen with https://www.freessl.com/ ?
under Symantec's leadership it was intended for the site to become a free
alternative to StartCom and LetsEncrypt, but it was not quite opened for
issuance except for non-profits.
Now with the transition of the CA
eciate your thoughts.
Jeremy
From: Peter Kurrasch [mailto:fhw...@gmail.com]
Sent: Thursday, August 3, 2017 11:21 PM
To: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: DigiCert-Symantec Announ
I agree with the high-level concepts, although I would probably like to add something about "being good stewards of technologies that play a critical role in the global economy." (Feel free to use your own
: Wednesday, August 2, 2017 8:01 PM
To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: DigiCert-Symantec Announcement
This certainly shakes things up! I've had my concerns that Symantec's plan was
complicated and risky, but now I'm wondering if this ne
-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Santhan Raj via dev-security-policy
Sent: Thursday, August 3, 2017 1:36 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DigiCert-Symantec Announcement
On Wednesday, August 2, 2017 at 6:44:51 PM UTC-7
sts.mozilla.org>
> Subject: RE: DigiCert-Symantec Announcement
> * Will there be other players in Symantec's SubCA plan or is DigiCert
> the only one?
>
>
>
> [DC] Only DigiCert.
Jeremy - It's my understanding that as of December 1st every certificate
issued by Sy
On 02/08/2017 23:12, Jeremy Rowley wrote:
Hi everyone,
Today, DigiCert and Symantec announced that DigiCert is acquiring the
Symantec CA assets, including the infrastructure, personnel, roots, and
platforms. At the same time, DigiCert signed a Sub CA agreement wherein we
will validate and
I believe all of the non expired CAs listed are in scope.
> On Aug 2, 2017, at 7:44 PM, Peter Bowen wrote:
>
> On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy
> wrote:
>> Today, DigiCert and Symantec announced that
ail.com>; mozilla-dev-security-policy
> <mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: RE: DigiCert-Symantec Announcement
> * Will there be other players in Symantec's SubCA plan or is DigiCert the only
> one?
>
>
>
> [DC] Only DigiCert.
Jeremy - It's my u
On Wednesday, August 2, 2017 at 6:44:51 PM UTC-7, Peter Bowen wrote:
> On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy
> wrote:
> > Today, DigiCert and Symantec announced that DigiCert is acquiring the
> > Symantec CA assets, including
Hi Jeremy,
Will the certificates being issued for Symantec starting December 1st be
issued under the existing DC roots, or under new roots?
Alex
On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi everyone,
>
>
>
> Today,
Peter Bowen writes:
>Gerv's email was clear that sale to DigiCert will not impact the plan,
>saying: "any change of control of some or all of Symantec's roots would not
>be grounds for a renegotiation of these dates."
>
>So the sanctions are still intact.
Ah, I phrased my
On Wed, Aug 2, 2017 at 8:10 PM, Peter Gutmann via dev-security-policy
wrote:
> Jeremy Rowley via dev-security-policy
> writes:
>
>>Today, DigiCert and Symantec announced that DigiCert is acquiring the
>>Symantec CA
Jeremy Rowley via dev-security-policy
writes:
>Today, DigiCert and Symantec announced that DigiCert is acquiring the
>Symantec CA assets, including the infrastructure, personnel, roots, and
>platforms.
I realise this is a bit off-topic for the list but
* Will there be other players in Symantec's SubCA plan or is DigiCert the only
one?
[DC] Only DigiCert.
* Is DigiCert prepared (yet?) to commit to a "first day of issuance" under the
SubCA plan? That is, when is the earliest date that members of the general
public may purchase
This certainly shakes things up! I've had my concerns that Symantec's plan was complicated and risky, but now I'm wondering if this new path will be somewhat simpler--yet even more risky? I'm not suggesting we
On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy
wrote:
> Today, DigiCert and Symantec announced that DigiCert is acquiring the
> Symantec CA assets, including the infrastructure, personnel, roots, and
> platforms. At the same time,
Lamb via dev-security-policy
Sent: Wednesday, August 2, 2017 4:57 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DigiCert-Symantec Announcement
On the use of OIDs to signify the Blessed Method used for validation I
thought it can't hurt to mention the first obstacle for this idea
+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Kathleen Wilson via dev-security-policy
Sent: Wednesday, August 2, 2017 4:07 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DigiCert-Symantec Announcement
On Wednesday, August 2, 2017 at 2:13:40 PM UTC-7, Jeremy Rowley
On Wednesday, August 2, 2017 at 2:13:40 PM UTC-7, Jeremy Rowley wrote:
> Today, DigiCert and Symantec announced that DigiCert is acquiring the
> Symantec CA assets, including the infrastructure, personnel, roots, and
> platforms. At the same time, DigiCert signed a Sub CA agreement wherein we
>
38 matches
Mail list logo