This is precisely what was discussed as part of the Managed Partner
Infrastructure transition, which was anticipated to potentially take
several years due to a wide variety of complexities.
This model was designed to allow for the replacement of the existing
Symantec Roots with the Transition Certificates (which would have
stabilized then, but not necessarily right now, as folks only now begin to
transition), and a separable discussion regarding whether or not the
Apple/Google intermediates will have fully expired (as is possible) or
whether they would need to be 'administratively managed' - effectively,
treated as roots (in which Mozilla or other root programs oversaw the audit
reports), rather than delegating the audit report oversight to Symantec.
I can't speak for Google or Apple's transition plans, but the design of the
plan, as discussed on the list, was precisely to allow for a minimally
disruptive transition, in a solution that would technically work with a
wide variety of root programs, including all browsers root programs'
technical constraints. This wasn't accidental, it was intentional.
On Thu, Mar 1, 2018 at 10:17 AM, Alex Gaynor via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Is it practical to remove the Symantec root certificates and (temporarily)
> add the Google and Apple intermediates to the trust store? This should
> facilitate removing trust in Symantec without disruption.
>
> > In my opinion, Mozilla's and Google's plans to distrust the Thawte,
> > RapidSSL, GeoTrust, Verisign, and Symantec branded CAs in the browser,
> > should be interpreted as a recommendation to eventually distrust them
> > for all server authentication uses.
> >
> > If a CA gets distrusted for https, then I think it's fair to equally
> > consider it as no longer acceptable for other services like IMAPS or
> LDAPS.
> >
> > As Ryan said in another thread, migration of non-https services might
> > take a longer time to migrate. However, based on Jeremy's statement in
> >
https://bugzilla.mozilla.org/show_bug.cgi?id=1437826#c3
> > I'd assume that the customer certificate migration efforts driven by
> > DigiCert should also cover migration of non-https services within a
> > reasonable amount of time, where general purpose client software is used
> > to connect to non-https services.
> >
> > (I'm excluding special purpose hardware with embedded restrictions, and
> > also excluding manually configured server to server configurations.)
> >
> > I conclude that for general purpose client software, that doesn't
> > implement key pinning and doesn't have restrictions on chain length, but
> > which wants to retain the ability to connect to services offered by
> > Apple or Google, the whitelisting for Apple/Google subCAs is the only
> > hindrance for eventual full distrust of the Symantec Root CAs.
> >
> > Are the owners of the Apple and Google subCAs able to announce a date,
> > after which they will no longer require their Symantec-issued subCAs to
> > be whitelisted?
> >