136
edits
Changes
→Symantec: changed 'will' to 'plans to'
==Symantec==
In accordance [https://groups.google.com/d/topic/mozilla.dev.security.policy/FLHRT79e3XE/discussion with the distrust plan of 2017], Mozilla plans to distrust Symantec certificates issued before 1-June 2016 are distrusted starting in Firefox 60 unless they are issued by whitelisted subordinate CAs that have the following SHA-256 Subject Public Key hashes (subjectPublicKeyInfo):
Apple:<br />
Note: In some instances, multiple subordinate CAs contain the same public key, necessitating whitelisting by subjectPublicKeyInfo. Refer to ([https://bugzilla.mozilla.org/show_bug.cgi?id=1409257 Bug 1409257]) for more information.
In Firefox 63, Mozilla plans to remove the ‘before 1-June 2016’ rule will be removed and all Symantec TLS certificates will be distrusted except those issued by the whitelisted subordinate CAs listed above.
In a future Firefox release, we expect to remove the whitelist, and remove the ‘websites’ trust bit from all Symantec roots. The timing of these changes, and any changes to the ‘email’ trust bit (S/MIME) have not yet been determined.
