Re: Google Plan for Symantec posted

Here's my roundup of things I think we should require of Symantec. * Mozilla would wish, after 2017-08-08, to alter Firefox such that it trusts certificates issued in the "new PKI" directly by embedding a set of certs or trust anchors which are part of that PKI, and can therefore distrust any new

Re: Google Plan for Symantec posted

On 24/05/17 16:33, Peter Bowen wrote: > Can you clarify the meaning of "new PKI"? I can see two reasonable > interpretations: > 2) The new PKI includes both new offline CAs that meet the > requirements to be Root CAs and new subordinate CAs that issue > end-entity certificates. the The new

Re: Google Plan for Symantec posted

On Mon, May 22, 2017 at 9:33 AM, Gervase Markham via dev-security-policy wrote: > On 19/05/17 21:04, Kathleen Wilson wrote: >> - What validity periods should be allowed for SSL certs being issued >> in the old PKI (until the new PKI is ready)? > > Symantec

Re: Google Plan for Symantec posted

On Mon, May 22, 2017 at 12:33 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 19/05/17 21:04, Kathleen Wilson wrote: > > - I'm not sold on the idea of requiring Symantec to use third-party > > CAs to perform validation/issuance on Symantec's

Re: Google Plan for Symantec posted

On Sat, May 20, 2017 at 11:12 AM, Michael Casadevall via dev-security-policy wrote: > On 05/19/2017 05:43 PM, Kurt Roeckx wrote: > >>From the mail about Chrome's plan, I understand that Chrome's plan > > is to only allow certificates from the old PKI if

Re: Google Plan for Symantec posted

On 22/05/2017 18:33, Gervase Markham wrote: On 19/05/17 21:04, Kathleen Wilson wrote: - What validity periods should be allowed for SSL certs being issued in the old PKI (until the new PKI is ready)? Symantec is required only to be issuing in the new PKI by 2017-08-08 - in around ten weeks

Re: Google Plan for Symantec posted

Comments inline On 20/05/2017 16:49, Michael Casadevall wrote: Comments inline. On 05/19/2017 05:10 PM, Jakob Bohm wrote: Suggested trivial changes relative to the proposal for Mozilla use: 3. All non-expired Symantec issued certificates of any kind (including SubCAs and revoked

Re: Google Plan for Symantec posted

On Mon, May 22, 2017 at 05:33:26PM +0100, Gervase Markham via dev-security-policy wrote: > Google are doing a phased distrust of old certs, but they have not set a > date in their plan for total distrust of the old PKI. We should ask them > what their plans are for that. My understanding is that

Re: Google Plan for Symantec posted

On 21/05/17 19:37, userwithuid wrote: > With the new proposal, the "minimal disruption" solution for Firefox > will require keeping the legacy stuff around for another 3.5-4 years > and better solutions will now be a lot harder to sell without the > leverage provided by Google. Why so? In eight

Re: Google Plan for Symantec posted

On 19/05/17 22:10, Jakob Bohm wrote: > Necessity: Whitelists in various forms based on such CT log entries, > as well as the SCTs in OCSP responses can provide an alternative for > relying parties checking current certificates even if the cleanup at > Symantec reveals a catastrophic breach

Re: Google Plan for Symantec posted

On 19/05/17 21:04, Kathleen Wilson wrote: > - What validity periods should be allowed for SSL certs being issued > in the old PKI (until the new PKI is ready)? Symantec is required only to be issuing in the new PKI by 2017-08-08 - in around ten weeks time. In the mean time, there is no

Re: Google Plan for Symantec posted

On Sunday, May 21, 2017 at 11:31:54 PM UTC, Michael Casadevall wrote: > There's also a fair number of points dealing with who can sign and for > what while Symantec spins up the new roots (which the Google proposal > says a trusted third party CA signed by Symantec"). > > I'm against this point

Re: Google Plan for Symantec posted

On 05/21/2017 02:37 PM, userwithuid wrote: > To me, the most noticable difference between how Google and Mozilla can take > action is with regards to exisiting certs. As proposed, Google has a really > neat timeline to get rid of Symantec's questionable legacy stuff quickly and > effectively.

Re: Google Plan for Symantec posted

On Saturday, 20 May 2017 15:49:44 UTC+1, Michael Casadevall wrote: > Sanity check here, but I thought that OCSP-CT-Stapling required SCTs to > be created at the time of issuance. Not sure if there's a way to > backdate this requirement. If this is only intended for the new roots > then just a

Re: Google Plan for Symantec posted

On 05/19/2017 05:43 PM, Kurt Roeckx wrote: > So I think we have a few categories of certificates: > - Those issued in the past, which can still be valid for up to 3 > years. I'm not sure when the last 5 year certificates are > supposed to expire, or if they all expired, but I don't think >

Re: Google Plan for Symantec posted

Comments inline. On 05/19/2017 05:10 PM, Jakob Bohm wrote: > Suggested trivial changes relative to the proposal for Mozilla use: > > 3. All non-expired Symantec issued certificates of any kind (including > SubCAs and revoked certificates) shall be CT logged as modified by #4 > below. All

Re: Google Plan for Symantec posted

On Fri, May 19, 2017 at 01:04:45PM -0700, Kathleen Wilson via dev-security-policy wrote: > > Gerv, thank you for all the effort you have been putting into this > investigation into Symantec's mis-issuances, and in identifying the best way > to move forward with the primary goal being to help

Re: Google Plan for Symantec posted

On 19/05/17 21:04, Kathleen Wilson via dev-security-policy wrote: Hi Kathleen. I'm not quite sure how to interpret this part... - I'm not sold on the idea of requiring Symantec to use third-party CAs to perform validation/issuance on Symantec's behalf. The most serious concerns that I have

Re: Google Plan for Symantec posted

On 19/05/2017 17:41, Gervase Markham wrote: Hi m.d.s.p., Google have posted their updated plan for Symantec in the blink-dev forum (copied below). https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/ovLalSBRBQAJ Insofar as it pertains to Google's actions, you should go over

Re: Google Plan for Symantec posted

On 19/05/2017 22:04, Kathleen Wilson wrote: On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote: I have passed that document to Kathleen, and I hope she will be endorsing this general direction soon, at which point it will no longer be a draft. Assuming she does, this will

Re: Google Plan for Symantec posted

On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote: > > I have passed that document to Kathleen, and I hope she will be > endorsing this general direction soon, at which point it will no longer > be a draft. > > Assuming she does, this will effectively turn into a 3-way