Here's my roundup of things I think we should require of Symantec.
* Mozilla would wish, after 2017-08-08, to alter Firefox such that it
trusts certificates issued in the "new PKI" directly by embedding a set
of certs or trust anchors which are part of that PKI, and can therefore
distrust any new
On 24/05/17 16:33, Peter Bowen wrote:
> Can you clarify the meaning of "new PKI"? I can see two reasonable
> interpretations:
> 2) The new PKI includes both new offline CAs that meet the
> requirements to be Root CAs and new subordinate CAs that issue
> end-entity certificates. the The new
On Mon, May 22, 2017 at 9:33 AM, Gervase Markham via
dev-security-policy wrote:
> On 19/05/17 21:04, Kathleen Wilson wrote:
>> - What validity periods should be allowed for SSL certs being issued
>> in the old PKI (until the new PKI is ready)?
>
> Symantec
On Mon, May 22, 2017 at 12:33 PM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 19/05/17 21:04, Kathleen Wilson wrote:
> > - I'm not sold on the idea of requiring Symantec to use third-party
> > CAs to perform validation/issuance on Symantec's
On Sat, May 20, 2017 at 11:12 AM, Michael Casadevall via
dev-security-policy wrote:
> On 05/19/2017 05:43 PM, Kurt Roeckx wrote:
> >>From the mail about Chrome's plan, I understand that Chrome's plan
> > is to only allow certificates from the old PKI if
On 22/05/2017 18:33, Gervase Markham wrote:
On 19/05/17 21:04, Kathleen Wilson wrote:
- What validity periods should be allowed for SSL certs being issued
in the old PKI (until the new PKI is ready)?
Symantec is required only to be issuing in the new PKI by 2017-08-08 -
in around ten weeks
Comments inline
On 20/05/2017 16:49, Michael Casadevall wrote:
Comments inline.
On 05/19/2017 05:10 PM, Jakob Bohm wrote:
Suggested trivial changes relative to the proposal for Mozilla use:
3. All non-expired Symantec issued certificates of any kind (including
SubCAs and revoked
On Mon, May 22, 2017 at 05:33:26PM +0100, Gervase Markham via
dev-security-policy wrote:
> Google are doing a phased distrust of old certs, but they have not set a
> date in their plan for total distrust of the old PKI. We should ask them
> what their plans are for that.
My understanding is that
On 21/05/17 19:37, userwithuid wrote:
> With the new proposal, the "minimal disruption" solution for Firefox
> will require keeping the legacy stuff around for another 3.5-4 years
> and better solutions will now be a lot harder to sell without the
> leverage provided by Google.
Why so? In eight
On 19/05/17 22:10, Jakob Bohm wrote:
> Necessity: Whitelists in various forms based on such CT log entries,
> as well as the SCTs in OCSP responses can provide an alternative for
> relying parties checking current certificates even if the cleanup at
> Symantec reveals a catastrophic breach
On 19/05/17 21:04, Kathleen Wilson wrote:
> - What validity periods should be allowed for SSL certs being issued
> in the old PKI (until the new PKI is ready)?
Symantec is required only to be issuing in the new PKI by 2017-08-08 -
in around ten weeks time. In the mean time, there is no
On Sunday, May 21, 2017 at 11:31:54 PM UTC, Michael Casadevall wrote:
> There's also a fair number of points dealing with who can sign and for
> what while Symantec spins up the new roots (which the Google proposal
> says a trusted third party CA signed by Symantec").
>
> I'm against this point
On 05/21/2017 02:37 PM, userwithuid wrote:
> To me, the most noticable difference between how Google and Mozilla can take
> action is with regards to exisiting certs. As proposed, Google has a really
> neat timeline to get rid of Symantec's questionable legacy stuff quickly and
> effectively.
On Saturday, 20 May 2017 15:49:44 UTC+1, Michael Casadevall wrote:
> Sanity check here, but I thought that OCSP-CT-Stapling required SCTs to
> be created at the time of issuance. Not sure if there's a way to
> backdate this requirement. If this is only intended for the new roots
> then just a
On 05/19/2017 05:43 PM, Kurt Roeckx wrote:
> So I think we have a few categories of certificates:
> - Those issued in the past, which can still be valid for up to 3
> years. I'm not sure when the last 5 year certificates are
> supposed to expire, or if they all expired, but I don't think
>
Comments inline.
On 05/19/2017 05:10 PM, Jakob Bohm wrote:
> Suggested trivial changes relative to the proposal for Mozilla use:
>
> 3. All non-expired Symantec issued certificates of any kind (including
> SubCAs and revoked certificates) shall be CT logged as modified by #4
> below. All
On Fri, May 19, 2017 at 01:04:45PM -0700, Kathleen Wilson via
dev-security-policy wrote:
>
> Gerv, thank you for all the effort you have been putting into this
> investigation into Symantec's mis-issuances, and in identifying the best way
> to move forward with the primary goal being to help
On 19/05/17 21:04, Kathleen Wilson via dev-security-policy wrote:
Hi Kathleen. I'm not quite sure how to interpret this part...
- I'm not sold on the idea of requiring Symantec to use third-party CAs to
perform validation/issuance on Symantec's behalf. The most serious concerns
that I have
On 19/05/2017 17:41, Gervase Markham wrote:
Hi m.d.s.p.,
Google have posted their updated plan for Symantec in the blink-dev
forum (copied below).
https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/ovLalSBRBQAJ
Insofar as it pertains to Google's actions, you should go over
On 19/05/2017 22:04, Kathleen Wilson wrote:
On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote:
I have passed that document to Kathleen, and I hope she will be
endorsing this general direction soon, at which point it will no longer
be a draft.
Assuming she does, this will
On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote:
>
> I have passed that document to Kathleen, and I hope she will be
> endorsing this general direction soon, at which point it will no longer
> be a draft.
>
> Assuming she does, this will effectively turn into a 3-way
21 matches
Mail list logo