[cabfpub] Notice of Certificate Issuance

Dean Coclin Dean_Coclin at symantec.com
Mon Dec 5 20:36:33 UTC 2016


Technically we don't advise against key pinning, rather, we advise customers to not specifically hardcode intermediate certificates and to anticipate that intermediates in the hierarchy may change.  We do this via periodic emails/customer bulletins.

The reference in the CPS is under 1.4.2: 

"Symantec periodically rekeys Intermediate CAs. Third party applications or platforms that have an Intermediate CA embedded as a root certificate may not operate as designed after the
Intermediate CA has been rekeyed. Symantec therefore does not warrant the use of Intermediate CAs as root certificates and recommends that Intermediate CAs not be embedded into
applications and/or platforms as root certificates. Symantec recommends the use of PCA Roots as root certificates."


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, December 01, 2016 4:14 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Dean Coclin <Dean_Coclin at symantec.com>
Subject: Re: [cabfpub] Notice of Certificate Issuance

Hi Dean,

On 01/12/16 03:45, Dean Coclin via Public wrote:
> For the past several years we have made a point to communicate to both 
> customers and partners that they should avoid hard coding or otherwise 
> constraining the CA’s supported by their applications given the 
> increasing frequency of changes.

So Symantec advises against key pinning in all circumstances?

Presumably this is publicly documented somewhere on your website that customers are likely to see?

> In this case it is also explicitly
> called out in our CPS.

Could you give us a reference, please?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161205/673b1358/attachment-0001.p7s>

More information about the Public mailing list