info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Deadline for whitelisting of the Apple/Google subCAs issued by Symantec?
328 views
Skip to first unread message
Kai Engert
Mar 1, 2018, 10:15:52 AM3/1/18
to mozilla-dev-s...@lists.mozilla.org
In my opinion, Mozilla's and Google's plans to distrust the Thawte,
RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser,
should be interpreted as a recommendation to eventually distrust them
for all server authentication uses.
If a CA gets distrusted for https, then I think it's fair to equally
consider it as no longer acceptable for other services like IMAPS or LDAPS.
As Ryan said in another thread, migration of non-https services might
take a longer time to migrate. However, based on Jeremy's statement in
https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3
I'd assume that the customer certificate migration efforts driven by
DigiCert should also cover migration of non-https services within a
reasonable amount of time, where general purpose client software is used
to connect to non-https services.
(I'm excluding special purpose hardware with embedded restrictions, and
also excluding manually configured server to server configurations.)
I conclude that for general purpose client software, that doesn't
implement key pinning and doesn't have restrictions on chain length, but
which wants to retain the ability to connect to services offered by
Apple or Google, the whitelisting for Apple/Google subCAs is the only
hindrance for eventual full distrust of the Symantec Root CAs.
Are the owners of the Apple and Google subCAs able to announce a date,
after which they will no longer require their Symantec-issued subCAs to
be whitelisted?
Thanks
Kai
RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser,
should be interpreted as a recommendation to eventually distrust them
for all server authentication uses.
If a CA gets distrusted for https, then I think it's fair to equally
consider it as no longer acceptable for other services like IMAPS or LDAPS.
As Ryan said in another thread, migration of non-https services might
take a longer time to migrate. However, based on Jeremy's statement in
https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3
I'd assume that the customer certificate migration efforts driven by
DigiCert should also cover migration of non-https services within a
reasonable amount of time, where general purpose client software is used
to connect to non-https services.
(I'm excluding special purpose hardware with embedded restrictions, and
also excluding manually configured server to server configurations.)
I conclude that for general purpose client software, that doesn't
implement key pinning and doesn't have restrictions on chain length, but
which wants to retain the ability to connect to services offered by
Apple or Google, the whitelisting for Apple/Google subCAs is the only
hindrance for eventual full distrust of the Symantec Root CAs.
Are the owners of the Apple and Google subCAs able to announce a date,
after which they will no longer require their Symantec-issued subCAs to
be whitelisted?
Thanks
Kai
Alex Gaynor
Mar 1, 2018, 10:17:53 AM3/1/18
to Kai Engert, mozilla-dev-s...@lists.mozilla.org
Is it practical to remove the Symantec root certificates and (temporarily)
add the Google and Apple intermediates to the trust store? This should
facilitate removing trust in Symantec without disruption.
Alex
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
add the Google and Apple intermediates to the trust store? This should
facilitate removing trust in Symantec without disruption.
Alex
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Wayne Thayer
Mar 1, 2018, 10:37:03 AM3/1/18
to Alex Gaynor, mozilla-dev-s...@lists.mozilla.org, Kai Engert
On Thu, Mar 1, 2018 at 8:17 AM, Alex Gaynor via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Is it practical to remove the Symantec root certificates and (temporarily)
> add the Google and Apple intermediates to the trust store? This should
> facilitate removing trust in Symantec without disruption.
>
> Before we can completely remove the Symantec roots, we need to address
dev-secur...@lists.mozilla.org> wrote:
> Is it practical to remove the Symantec root certificates and (temporarily)
> add the Google and Apple intermediates to the trust store? This should
> facilitate removing trust in Symantec without disruption.
>
email protection (S/MIME) certs. An interim step would be to turn off the
websites trust bit.
The decision to whitelist specific keys rather than add the intermediates
to the trust store was intentional - it allows DigiCert to sign additional
whitelisted intermediates during the transition period.
> Alex
>
> On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>
> > Are the owners of the Apple and Google subCAs able to announce a date,
> > after which they will no longer require their Symantec-issued subCAs to
> > be whitelisted?
> >
>
whitelisted keys, I think we need to hear from them as well.
> Thanks
> > Kai
>
> - Wayne
Ryan Sleevi
Mar 1, 2018, 12:56:20 PM3/1/18
to Alex Gaynor, mozilla-dev-s...@lists.mozilla.org, Kai Engert
This is precisely what was discussed as part of the Managed Partner
Infrastructure transition, which was anticipated to potentially take
several years due to a wide variety of complexities.
This model was designed to allow for the replacement of the existing
Symantec Roots with the Transition Certificates (which would have
stabilized then, but not necessarily right now, as folks only now begin to
transition), and a separable discussion regarding whether or not the
Apple/Google intermediates will have fully expired (as is possible) or
whether they would need to be 'administratively managed' - effectively,
treated as roots (in which Mozilla or other root programs oversaw the audit
reports), rather than delegating the audit report oversight to Symantec.
I can't speak for Google or Apple's transition plans, but the design of the
plan, as discussed on the list, was precisely to allow for a minimally
disruptive transition, in a solution that would technically work with a
wide variety of root programs, including all browsers root programs'
technical constraints. This wasn't accidental, it was intentional.
On Thu, Mar 1, 2018 at 10:17 AM, Alex Gaynor via dev-security-policy <
Infrastructure transition, which was anticipated to potentially take
several years due to a wide variety of complexities.
This model was designed to allow for the replacement of the existing
Symantec Roots with the Transition Certificates (which would have
stabilized then, but not necessarily right now, as folks only now begin to
transition), and a separable discussion regarding whether or not the
Apple/Google intermediates will have fully expired (as is possible) or
whether they would need to be 'administratively managed' - effectively,
treated as roots (in which Mozilla or other root programs oversaw the audit
reports), rather than delegating the audit report oversight to Symantec.
I can't speak for Google or Apple's transition plans, but the design of the
plan, as discussed on the list, was precisely to allow for a minimally
disruptive transition, in a solution that would technically work with a
wide variety of root programs, including all browsers root programs'
technical constraints. This wasn't accidental, it was intentional.
On Thu, Mar 1, 2018 at 10:17 AM, Alex Gaynor via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Is it practical to remove the Symantec root certificates and (temporarily)
> add the Google and Apple intermediates to the trust store? This should
> facilitate removing trust in Symantec without disruption.
>
> Is it practical to remove the Symantec root certificates and (temporarily)
> add the Google and Apple intermediates to the trust store? This should
> facilitate removing trust in Symantec without disruption.
>
> Alex
>
> On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>
> On Thu, Mar 1, 2018 at 10:15 AM, Kai Engert via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > In my opinion, Mozilla's and Google's plans to distrust the Thawte,
> > RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser,
> > should be interpreted as a recommendation to eventually distrust them
> > for all server authentication uses.
> >
> > If a CA gets distrusted for https, then I think it's fair to equally
> > consider it as no longer acceptable for other services like IMAPS or
> LDAPS.
> >
> > As Ryan said in another thread, migration of non-https services might
> > take a longer time to migrate. However, based on Jeremy's statement in
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3
> > I'd assume that the customer certificate migration efforts driven by
> > DigiCert should also cover migration of non-https services within a
> > reasonable amount of time, where general purpose client software is used
> > to connect to non-https services.
> >
> > (I'm excluding special purpose hardware with embedded restrictions, and
> > also excluding manually configured server to server configurations.)
> >
> > I conclude that for general purpose client software, that doesn't
> > implement key pinning and doesn't have restrictions on chain length, but
> > which wants to retain the ability to connect to services offered by
> > Apple or Google, the whitelisting for Apple/Google subCAs is the only
> > hindrance for eventual full distrust of the Symantec Root CAs.
> >
> > RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser,
> > should be interpreted as a recommendation to eventually distrust them
> > for all server authentication uses.
> >
> > If a CA gets distrusted for https, then I think it's fair to equally
> > consider it as no longer acceptable for other services like IMAPS or
> LDAPS.
> >
> > As Ryan said in another thread, migration of non-https services might
> > take a longer time to migrate. However, based on Jeremy's statement in
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3
> > I'd assume that the customer certificate migration efforts driven by
> > DigiCert should also cover migration of non-https services within a
> > reasonable amount of time, where general purpose client software is used
> > to connect to non-https services.
> >
> > (I'm excluding special purpose hardware with embedded restrictions, and
> > also excluding manually configured server to server configurations.)
> >
> > I conclude that for general purpose client software, that doesn't
> > implement key pinning and doesn't have restrictions on chain length, but
> > which wants to retain the ability to connect to services offered by
> > Apple or Google, the whitelisting for Apple/Google subCAs is the only
> > hindrance for eventual full distrust of the Symantec Root CAs.
> >
> > Are the owners of the Apple and Google subCAs able to announce a date,
> > after which they will no longer require their Symantec-issued subCAs to
> > be whitelisted?
> >
> > after which they will no longer require their Symantec-issued subCAs to
> > be whitelisted?
> >
Ryan Hurst
Mar 1, 2018, 1:38:44 PM3/1/18
to mozilla-dev-s...@lists.mozilla.org
On Thursday, March 1, 2018 at 7:15:52 AM UTC-8, Kai Engert wrote:
> Are the owners of the Apple and Google subCAs able to announce a date,
> after which they will no longer require their Symantec-issued subCAs to
> be whitelisted?
Kai,
> Are the owners of the Apple and Google subCAs able to announce a date,
> after which they will no longer require their Symantec-issued subCAs to
> be whitelisted?
We are actively migrating to the Google Trust Services operated root certificates and while we would love to provide a concrete date the nature of these sorts of deployments makes that hard to provide.
What I can say is that our plan is to be migrated off by the time the Equifax root expires August 22nd 2018.
Ryan Hurst
0 new messages