No root for you! Google slams door on Symantec certs

The four-month row between Google and Symantec over SSL certificate issuing has just gone nuclear, with the Chocolate Factory making good on its threats and beginning a blockade.

"Over the course of the coming weeks, Google will be moving to distrust the 'Class 3 Public Primary CA' root certificate operated by Symantec Corporation, across Chrome, Android, and Google products," said Google software engineer Ryan Sleevi.

"Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements. As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products."

Sleevi said that Symantec had informed Google that the root certificate would be used for purposes other than for publicly trusted connections, but isn't saying what else they might be used for. As a result, it's on Google's naughty list.

"Symantec has indicated that they do not believe their customers, who are the operators of secure websites, will be affected by this removal," Sleevi said. "Further, Symantec has also indicated that, to the best of their knowledge, they do not believe customers who attempt to access sites secured with Symantec certificates will be affected by this."

That's far from certain, so he was kind enough to provide a link to Symantec Enterprise technical support, who are most likely having a rather unpleasant Friday morning.

But, according to Symantec, Google is overblowing the whole situation. Michael Klieman, SVP of product management at Symantec, told The Register that Symantec regularly retires certificates and that Google has made a mountain out of a molehill.

"Google's post on this was surprising because it came across as alarmist, that this was something out of the ordinary," he said.

"We've been in business a long time and have lots of roots embedded in different clients. In this case we notified all browsers to say here's an old root we've removed."

In this case the 1024-bit RSA roots were no longer acceptable and Mozilla had ceased support for the root back in September 2014.

As for the uses of the root certificate, Klieman said that they were mostly used for internal testing and for customers stuck on legacy systems, and were not intended for browser use.

"We've had a back and forth with Google," he said. "The roots are only for internal or private purposes, we can't even enumerate what all those use cases are."

Klieman said that, as far as he is aware, this is nothing to do with Symantec's ongoing feud with Google over SSL certification. ®