[conspire] Bill numbering; Symantec in the doghouse

[Rick Moen]

Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> It is, and it will be heard before the Judiciary Committee this Tuesday,
> per Rick's link. Your search undoubtedly unearthed something older
> instead.

One of the limitations of the Web, and especially of Web-_searching_, is
its poor sense of history,  This problem is made worse by creators of
Internet content omitting any _when_ indicator, sometimes because they
think (or at least act as if) the only time is now.

I think we've all been mislead by pages from some other year or decade.

 While we're on such subjects, the day after that will see a
> committee hearing on another long-overdue bill:
> http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB807

Indeed, I wouldn't miss Daylight Saving Time.


Intermission.
[background music: 'Girl from Ipanema']



Topic #2 of 2.  Hey, a couple of years ago, we started seeing breakdown
of the worldwide Certificate Authority (CA) system that even the IT
press couldn't entirely ignore, in the form of epic screwups by CAs
Diginotar and Comodo.  Many people including me decided to banish those
CAs from our Web browser bundles.

Well, guess who's in the doghouse now?  Symantec!

https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ

  Since January 19, the Google Chrome team has been investigating a
  series of failures by Symantec Corporation to properly validate
  certificates. Over the course of this investigation, the explanations
  provided by Symantec have revealed a continually increasing scope of
  misissuance with each set of questions from members of the Google Chrome
  team; an initial set of reportedly 127 certificates has expanded to
  include at least 30,000 certificates, issued over a period spanning
  several years. This is also coupled with a series of failures following
  the previous set of misissued certificates from Symantec
  (https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html),
  causing us to no longer have confidence in the certificate issuance
  policies and practices of Symantec over the past several years. To
  restore confidence and security of our users, we propose the following
  steps:

  o  A reduction in the accepted validity period of newly issued
     Symantec-issued certificates to nine months or less, in order to
     minimize any impact to Google Chrome users from any further 
     misissuances that may arise.

  o  An incremental distrust, spanning a series of Google Chrome releases, 
     of all currently-trusted Symantec-issued certificates, requiring they 
     be revalidated and replaced.

  o  Removal of recognition of the Extended Validation status of Symantec
     issued certificates, until such a time as the community can be assured
     in the policies and practices of Symantec, but no sooner than one year.

Google announcing that Google Chrome will no longer trust Symantec EV
(extended validation) certs is a pretty major step, folks.   Symantec
is an umbrella for GeoTrust, VeriSign, and Thawte certs.


InfoWorld coverage:
http://www.infoworld.com/article/3184482/security/google-to-symantec-we-dont-trust-you-anymore.html