info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Cert transition update
308 views
Skip to first unread message
Jeremy Rowley
Jun 26, 2018, 11:23:55 AM6/26/18
to mozilla-dev-security-policy
We want to share the latest update on the Symantec distrust plan and seek
input from the community. Below is a high level summary:
The majority of root program operators plan to either partially or fully
distrust Symantec roots by Q3 CY 2018, and no later than Q2 CY 2019. All
TLS certificates issued from these roots will be impacted. Please see list
of roots below. We've contacted all of the impacted customers so everyone
should be fully aware of the need at this point, even if some subscribers
are waiting to replace their certificates until after the summer.
Key Dates
. March 2018 - Beginning of phased removal of trust by root
program operators for Symantec TLS certificates issued prior to June 1,
2016.
. October 2018 - Full removal of trust of Symantec-issued TLS
certificates by root program operators.
. By no later than Q2 CY 2019 - Full removal of Symantec-issued
TLS certificates from all major root program operators.
The cert transition extends beyond TLS certificates, and we plan to migrate
most publicly-trusted non-TLS certificate issuance to DigiCert roots on
October 1st. However, the exception list of customers unable to migrate
s/MIME certificates will be larger than the TLS-side as these certificates
are often used with government ID cards or in facilities without ready
access. We'll work with these customers to replace their issuing CAs with
DigiCert issuing CAs so all certificates going forward will chain to one of
the ten DigiCert root certificates.
I'd definitely love the feedback on the above and public comments.
Impacted Roots and Usage:
Root EKU
GeoTrust Global CA Server Authentication; Client Authentication;
Secure Email; Code Signing; Time Stamping
GeoTrust Global CA 2 Server Authentication; Client Authentication; Code
Signing; Secure Email; Time Stamping
GeoTrust Primary Certification Authority Server Authentication;
Client Authentication; Secure Email; Code Signing
GeoTrust Primary Certification Authority - G2 Server Authentication;
Client Authentication; Secure Email; Code Signing; Time Stamping
GeoTrust Primary Certification Authority - G3 Server Authentication;
Client Authentication; Secure Email; Code Signing; Time Stamping
GeoTrust Universal CA Server Authentication; Client Authentication; Secure
Email; Code Signing; Time Stamping
GeoTrust Universal CA 2 Server Authentication; Client
Authentication; Code Signing; Secure Email; Time Stamping
Symantec Class 1 Public Primary Certification Authority - G4 Client
Authentication; Secure Email
Symantec Class 1 Public Primary Certification Authority - G6 Client
Authentication; Secure Email
Symantec Class 2 Public Primary Certification Authority - G4 Client
Authentication; Secure Email
Symantec Class 2 Public Primary Certification Authority - G6 Client
Authentication; Secure Email
Symantec Class 3 Public Primary Certification Authority - G4 Server
Authentication; Client Authentication; Secure Email; Code Signing; Time
Stamping
Symantec Class 3 Public Primary Certification Authority - G6 Server
Authentication; Client Authentication; Secure Email; Code Signing; Time
Stamping
thawte Primary Root CA Server Authentication; Client Authentication; Secure
Email; Code Signing
thawte Primary Root CA - G2 Server Authentication; Client
Authentication; Secure Email; Code Signing; Time Stamping
thawte Primary Root CA - G3 Server Authentication; Client
Authentication; Secure Email; Code Signing; Time Stamping
VeriSign Class 1 Public Primary Certification Authority - G3
Client Authentication; Secure Email
VeriSign Class 2 Public Primary Certification Authority - G3
Client Authentication; Code Signing; Secure Email
VeriSign Class 3 Public Primary Certification Authority - G3
Code Signing; Server Authentication; Client Authentication; Secure Email
VeriSign Class 3 Public Primary Certification Authority - G4
Server Authentication; Client Authentication; Secure Email; Code Signing;
Time Stamping
VeriSign Class 3 Public Primary Certification Authority - G5
Server Authentication; Client Authentication; Secure Email; Code Signing
VeriSign Universal Root Certification Authority Server Authentication;
Client Authentication; Secure Email; Code Signing; Time Stamping
input from the community. Below is a high level summary:
The majority of root program operators plan to either partially or fully
distrust Symantec roots by Q3 CY 2018, and no later than Q2 CY 2019. All
TLS certificates issued from these roots will be impacted. Please see list
of roots below. We've contacted all of the impacted customers so everyone
should be fully aware of the need at this point, even if some subscribers
are waiting to replace their certificates until after the summer.
Key Dates
. March 2018 - Beginning of phased removal of trust by root
program operators for Symantec TLS certificates issued prior to June 1,
2016.
. October 2018 - Full removal of trust of Symantec-issued TLS
certificates by root program operators.
. By no later than Q2 CY 2019 - Full removal of Symantec-issued
TLS certificates from all major root program operators.
The cert transition extends beyond TLS certificates, and we plan to migrate
most publicly-trusted non-TLS certificate issuance to DigiCert roots on
October 1st. However, the exception list of customers unable to migrate
s/MIME certificates will be larger than the TLS-side as these certificates
are often used with government ID cards or in facilities without ready
access. We'll work with these customers to replace their issuing CAs with
DigiCert issuing CAs so all certificates going forward will chain to one of
the ten DigiCert root certificates.
I'd definitely love the feedback on the above and public comments.
Impacted Roots and Usage:
Root EKU
GeoTrust Global CA Server Authentication; Client Authentication;
Secure Email; Code Signing; Time Stamping
GeoTrust Global CA 2 Server Authentication; Client Authentication; Code
Signing; Secure Email; Time Stamping
GeoTrust Primary Certification Authority Server Authentication;
Client Authentication; Secure Email; Code Signing
GeoTrust Primary Certification Authority - G2 Server Authentication;
Client Authentication; Secure Email; Code Signing; Time Stamping
GeoTrust Primary Certification Authority - G3 Server Authentication;
Client Authentication; Secure Email; Code Signing; Time Stamping
GeoTrust Universal CA Server Authentication; Client Authentication; Secure
Email; Code Signing; Time Stamping
GeoTrust Universal CA 2 Server Authentication; Client
Authentication; Code Signing; Secure Email; Time Stamping
Symantec Class 1 Public Primary Certification Authority - G4 Client
Authentication; Secure Email
Symantec Class 1 Public Primary Certification Authority - G6 Client
Authentication; Secure Email
Symantec Class 2 Public Primary Certification Authority - G4 Client
Authentication; Secure Email
Symantec Class 2 Public Primary Certification Authority - G6 Client
Authentication; Secure Email
Symantec Class 3 Public Primary Certification Authority - G4 Server
Authentication; Client Authentication; Secure Email; Code Signing; Time
Stamping
Symantec Class 3 Public Primary Certification Authority - G6 Server
Authentication; Client Authentication; Secure Email; Code Signing; Time
Stamping
thawte Primary Root CA Server Authentication; Client Authentication; Secure
Email; Code Signing
thawte Primary Root CA - G2 Server Authentication; Client
Authentication; Secure Email; Code Signing; Time Stamping
thawte Primary Root CA - G3 Server Authentication; Client
Authentication; Secure Email; Code Signing; Time Stamping
VeriSign Class 1 Public Primary Certification Authority - G3
Client Authentication; Secure Email
VeriSign Class 2 Public Primary Certification Authority - G3
Client Authentication; Code Signing; Secure Email
VeriSign Class 3 Public Primary Certification Authority - G3
Code Signing; Server Authentication; Client Authentication; Secure Email
VeriSign Class 3 Public Primary Certification Authority - G4
Server Authentication; Client Authentication; Secure Email; Code Signing;
Time Stamping
VeriSign Class 3 Public Primary Certification Authority - G5
Server Authentication; Client Authentication; Secure Email; Code Signing
VeriSign Universal Root Certification Authority Server Authentication;
Client Authentication; Secure Email; Code Signing; Time Stamping
Ryan Sleevi
Jun 26, 2018, 11:50:13 AM6/26/18
to Jeremy Rowley, mozilla-dev-security-policy
Hi Jeremy,
Thanks for posting the update. A few notes below, as already shared on the
Bugzilla Bug where you also shared this.
On Tue, Jun 26, 2018 at 10:57 AM, Jeremy Rowley via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Key Dates
>
> . March 2018 - Beginning of phased removal of trust by root
> program operators for Symantec TLS certificates issued prior to June 1,
> 2016.
>
> . October 2018 - Full removal of trust of Symantec-issued TLS
> certificates by root program operators.
>
One slight clarification to your dates: The removal is expected to _start_
late June/early July 2018.
Thus, by July 2018, all Symantec-issued TLS certificate consumers should
have begun transitioning, with the majority having completed the
transition. This ensures that, should there be any unforeseen issues, they
can have a small window of time to remove those issues.
In particular, releases of both Firefox and Chrome are expected, no later
than July, which begin distrusting these certificates, with the overall
population of versions increasing to 100% by October. Thus, rather than
October being a transition date from 0% to 100%, it should be seen as the
transition from, say, 50% to 100%. Thus, to avoid breaking 50% of users,
sites should be transitioning *now*.
If it helps, you can point customers to
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html
or
https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
. For Mozilla, https://wiki.mozilla.org/Release_Management/Calendar gives
the calendar - Firefox 63 has begun in Central as of yesterday (i.e. June),
with a scheduled Beta date of September 3.
Thanks for posting the update. A few notes below, as already shared on the
Bugzilla Bug where you also shared this.
On Tue, Jun 26, 2018 at 10:57 AM, Jeremy Rowley via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Key Dates
>
> . March 2018 - Beginning of phased removal of trust by root
> program operators for Symantec TLS certificates issued prior to June 1,
> 2016.
>
> . October 2018 - Full removal of trust of Symantec-issued TLS
> certificates by root program operators.
>
late June/early July 2018.
Thus, by July 2018, all Symantec-issued TLS certificate consumers should
have begun transitioning, with the majority having completed the
transition. This ensures that, should there be any unforeseen issues, they
can have a small window of time to remove those issues.
In particular, releases of both Firefox and Chrome are expected, no later
than July, which begin distrusting these certificates, with the overall
population of versions increasing to 100% by October. Thus, rather than
October being a transition date from 0% to 100%, it should be seen as the
transition from, say, 50% to 100%. Thus, to avoid breaking 50% of users,
sites should be transitioning *now*.
If it helps, you can point customers to
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html
or
https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
. For Mozilla, https://wiki.mozilla.org/Release_Management/Calendar gives
the calendar - Firefox 63 has begun in Central as of yesterday (i.e. June),
with a scheduled Beta date of September 3.
0 new messages