Mozilla will make a final decision on Symantec in a week’s time.
On Monday, Mozilla released a 10-page report. This report includes both an in-depth summary of the events and issues so far, as well as a draft version of their response.
For those who want to quickly catch up, this entire saga has become extremely complicated since Google posted their original proposal on March 23rd.
The key events since then: Google and Mozilla publicly investigated the issues, finding more evidence of poor management. Both companies then agreed to give Symantec time to provide their own counter-proposal (a “remediation plan”) for handling the issues, which they did last week. Google then provided a counter-counter-proposal.
That counter-counter-proposal, penned by Google’s Ryan Sleevi, was sent to Symantec in mid-April and parts of it were publicly shared last week. It suggested Symantec partner with another CA, “thereby removing Symantec infrastructure and validation processes from the equation.”
In the future, Symantec could then acquire this CA, or its roots, and bring issuance and validation back under its roof. The specific conditions for this were not detailed.
While this is a radical suggestion, Sleevi noted that it would “mitigate our primary concerns related to new certificates,” eliminating the need to place restrictions on new Symantec SSL certificates.
Because all new Symantec certificates would be handled by a separate PKI infrastructure, it would give browsers complete confidence that mistakes related to the existing infrastructure were eliminated. Existing certificates would still need to be dealt with, but this would essentially provide a clean start for Symantec’s CA.
In today’s report, Mozilla said that they too think this is the best way forward for Symantec and are urging the company to consider it. Mozilla also proposed a fall-back if Symantec decides not to ‘restart’ their PKI.
They key details of this proposal are:
- Symantec must provide Mozilla with a “full PKI diagram” of all roots and sub-CAs that are trusted by Mozilla. All the certificates involved with non-compliant issuance must be revoked.
- New Symantec certificates will be limited to 13-month validity.
- Existing Symantec certificates will be gradually restricted to 13 months of validity.
Note that these restrictions only occur if Symantec decides to continue operating under its existing PKI infrastructure.
Notably, the Mozilla Symantec proposal does not involve removing Symantec’s EV status (Google’s proposed plan does). Its report states “the risk has now been eliminated, and no existing Symantec EV certificates are affected. Therefore… the removal of EV status seems unwarranted.”
So far, none of the root programs have officially committed to a plan, but that will happen soon. Mozilla has said that it will release a final decision on May 8th, and are accepting public comments in this thread until then. Google’s proposal is still being internally considered, with no known deadline. Apple and Microsoft have been entirely quiet during this entire situation – which is normal.