Re: Symantec Issues List

2017-04-03 Thread Ryan Sleevi via dev-security-policy
On Mon, Apr 3, 2017 at 12:46 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > How about this simple explanation (purely a guess, not at all checked): > I think we should focus on objective facts and statements. While there are a number of possible ways to

Re: Symantec Issues List

2017-04-03 Thread Gervase Markham via dev-security-policy
On 03/04/17 02:37, Peter Bowen wrote: > I believe Issue L is incorrectly dated. Thank you for this; I have updated Issue L to hopefully be more accurate, but I intend to keep it as a separate issue. Gerv ___ dev-security-policy mailing list

Re: Symantec Issues List

2017-04-03 Thread Gervase Markham via dev-security-policy
On 01/04/17 05:57, Peter Bowen wrote: > The GeoRoot program was very similar to that offered by many CAs a few > years ago. CyberTrust (then Verizon, now DigiCert) has the OmniRoot > program, Entrust has a root signing program[1], and GlobalSign Trusted > Root[2] are just a few examples. While

Re: Symantec Issues List

2017-04-03 Thread Gervase Markham via dev-security-policy
On 01/04/17 00:38, Ryan Sleevi wrote: > On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham via dev-security-policy < > Thanks for organizing this information, as much of it was related to and > relevant to Google's recent announcement. I want to take this opportunity > to share additional details

Re: Symantec Issues List

2017-04-02 Thread Peter Bowen via dev-security-policy
On Sun, Apr 2, 2017 at 9:36 PM, Ryan Sleevi wrote: > > On Sun, Apr 2, 2017 at 11:14 PM Peter Bowen via dev-security-policy > wrote: >> >> On Fri, Mar 31, 2017 at 11:39 AM, Gervase Markham via >> dev-security-policy

Re: Symantec Issues List

2017-04-02 Thread Ryan Sleevi via dev-security-policy
On Sun, Apr 2, 2017 at 11:14 PM Peter Bowen via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Fri, Mar 31, 2017 at 11:39 AM, Gervase Markham via > dev-security-policy wrote: > > As we continue to consider how best to react to the

Re: Symantec Issues List

2017-04-02 Thread Peter Bowen via dev-security-policy
On Fri, Mar 31, 2017 at 11:39 AM, Gervase Markham via dev-security-policy wrote: > As we continue to consider how best to react to the most recent incident > involving Symantec, and given that there is a question of whether it is > part of a pattern of

Re: Symantec Issues List

2017-04-01 Thread Ryan Sleevi via dev-security-policy
On Sat, Apr 1, 2017 at 12:57 AM, Peter Bowen wrote: > (Wearing my personal hat) > > Ryan, > > I haven't reviewed the audit reports myself, but I'll assume all you > wrote is true. However, I think it is important to consider it in the > appropriate context. > The GeoRoot

Re: Symantec Issues List

2017-03-31 Thread Peter Bowen via dev-security-policy
On Fri, Mar 31, 2017 at 4:38 PM, Ryan Sleevi via dev-security-policy wrote: > On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham wrote: > >> As we continue to consider how best to react to the most recent incident >> involving Symantec, and given that there is

Re: Symantec Issues List

2017-03-31 Thread Ryan Sleevi via dev-security-policy
On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As we continue to consider how best to react to the most recent incident > involving Symantec, and given that there is a question of whether it is > part of a pattern of

Symantec Issues List

2017-03-31 Thread Gervase Markham via dev-security-policy
As we continue to consider how best to react to the most recent incident involving Symantec, and given that there is a question of whether it is part of a pattern of behaviour, it seemed best to produce an issues list as we did with WoSign. This means Symantec has proper opportunity to respond to