The Two Major Browsers Will Support The Same Timeline For Consistency
Last week Symantec and Google brought their long-deliberated negotiations to a close and announced a public decision for handling certificates from Symantec’s current infrastructure.
This was a major announcement for the internet community, which had been eagerly awaiting a decision since discussions started in March.
However, there are four major root programs, operated by Google, Mozilla, Microsoft, and Apple, whose products account for the majority of end-user devices and software. Each root program makes independent decisions on how it will react to violations by Certificate Authorities.
Now Mozilla, who manages the root program for Firefox and NSS (a set of open source crypto libraries), has announced that it will mirror most of Google’s decision.
The broad results of that plan are:
- Symantec’s existing root certificates will be retired. New roots will be submitted to root programs.
- Symantec will continue issuing certificates via a partnered Certificate Authority as it goes through the process of having its new roots audited and distributed.
- Symantec certificates issued before June 1st, 2016 (when they started Certificate Transparency logging) will need to be replaced by reissuing the certificates (for free) or they can be renewed early.
- In October 2018 all Symantec certificates issued from their current roots will be need to be replaced.
Gervase Markham, who works on Mozilla’s root program, stated: “we have decided to match the dates proposed by Google for Chrome (within a few weeks; exact Firefox releases will be determined nearer the time).”
Because Firefox and Chrome’s release schedules do not match up exactly, Mozilla may implement its changes a few weeks before or after Chrome. Browser releases are only estimated and a guaranteed date is not published this far in advance. Organizations are encouraged to make any necessary changes in advance in case Firefox’s implementation is a few weeks early.
What About Apple and Microsoft?
Apple and Microsoft also manage their own platform’s root certificate stores. As per usual, neither company has publicly commented on what, if anything, they will do in regards to Symantec.
Unlike Google and Mozilla, who operate their root programs with a great degree of transparency, Apple and Microsoft do not host any public discussions or welcome comments. Those two are the remaining major root programs that have yet to take action against Symantec.
But don’t worry.
It’s normal for their decisions to come last. Usually, they match their more eager colleagues or go with less severe changes.
For organizations and websites affected by these changes to Symantec trust, it is safe to start planning around Google’s announced plan. Unless they break precedent, Apple and Microsoft’s plans should not conflict with Google and Mozilla.