nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Peace in our time! Symantec says it can end Google cert spat

It's basically a promise to do better and not mess things up

By Richard Chirgwin, 27 Apr 2017

Symantec is hoping to get its certificates back on Google's trust list.

In March, an ongoing spat between the two companies came to a head. After a scandal in 2015 over three certs issued by Symantec subsidiary Thawte, the number grew to 23, then 164, then 2,458 within a month.

Google decided in December 2015 to distrust the company's 'Class 3 Public Primary CA' root certificate.

Things went quiet for a while, but in January Google started another investigation, turned up an alleged 30,000 dodgy certs, and decided to sin-bin Symantec.

To stave off disaster, Symantec has put forward another proposal to put things right, published here.

Saying it wants a “collaborative process” (rather than leaving the Chocolate Factory in charge of the guillotine), Symantec's Roxane Divol, executive veep and general manager at Symantec Website Security, says a fix requires “understanding the needs of all parties”.

The key actions Symantec proposes are:

  • Rather than have Chrome remove Extended Validation status from Symantec certs, the company offers a third-party audit of all its EV certs, to be completed by August 31, 2017;
  • Another third-party audit will cover all active certificates issued by partners, including CrossCert, Certisign, Certsuperior and Certisur;
  • A third WebTrust audit will cover December 1, 2016 to May 31, 2017, and after that, Symantec will conduct WebTrust audits quarterly;
  • Audits will be reported quarterly;
  • ”We will work through the CA/B forum to recommend new (or where applicable, updated) guidelines for appropriate customer exception requests to baseline requests”, the post states; and
  • Symantec promises to get the lead out of its pants when responding to the browser community's concerns.

The company also says it's going to offer SSL/TLS certs with three-month validity; it will run a domain validation of all certificates valid longer than nine months (at no extra cost to customers); and it promises to improve its back-end processes.

The company says with these actions, it hopes to avoid the inconvenience that would befall embedded systems and mobile apps with pinned certificates, and disruption to enterprise apps chained to Symantec roots. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing