Forum Moderators: open
Google To Deprecate and Remove Trust From 30,000 Symantec-issued Extended Validation Certificates
A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.
An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year. Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates [groups.google.com]
Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. Symantec Backs Its CA [symantec.com]
As (perhaps incompletely) explained in the initial message, [groups.google.com...] , this only proposes a change in trust status related to the "existing" Symantec-issued certificates, and describes a proposal on how to restore that trust to sufficient levels, so as to avoid the need to distrust any root CAs. Distrusting the root CA keys involved carries with it a non-trivial degree of compatibility and interoperability risk, as explained, and so this proposal is an attempt to find a balance between that risk and the security needs of users and site operators - both those that have Symantec-issued certificates and those that do not.
As explained earlier on this thread, while the set of 30,000 certificates relate to those improperly validated by improperly supervised delegated third parties, the inability to technically identify these certificates or sufficiently independently assess that the issues are limited to these certificates make it necessary to either accept an unknown security risk, or to take appropriate measures, as proposed, to balance that risk. As Symantec has already indicated they have terminated their relationship with these partners regarding new certificate issuance, we have some degree of assurance that new certificates will comply with the expected policies and practices. As with any CA, there is an element of trust inherent in making such a decision, but anything short of distrust inherently means to trust. This proposal attempts to restore that trust to the sufficient and necessary level, by describing a process and set of changes that can be made to Chrome to provide a sufficient level of assurance, and to mitigate further risks should that trust be found to be misplaced.
Thursday's announcement is only the latest development in Google's 18-month critique of practices by Symantec issuers. In October 2015, Symantec fired an undisclosed number of employees responsible for issuing test certificates for third-party domains without the permission of the domain holders. One of the extended-validation certificates covered google.com and www.google.com and would have given the person possessing it the ability to cryptographically impersonate those two addresses. A month later, Google pressured Symantec into performing a costly audit of its certificate issuance process after finding the mis-issuances went well beyond what Symantec had first revealed.
Or Symantec was only able to contact Google by clicking on the "Was this page helpful" link and sending feedback in the comments.;)
