On Monday, Mozilla released a 10-page report<\/a>. This report includes both an in-depth summary of the events and issues so far, as well as a draft version of their response.<\/p>\n For those who want to quickly catch up, this entire saga has become extremely complicated since Google posted their original proposal on March 23rd<\/sup><\/a>.<\/p>\n The key events since then: Google and Mozilla publicly investigated the issues, finding more evidence of poor management. Both companies then agreed to give Symantec time to provide their own counter-proposal (a \u201cremediation plan\u201d) for handling the issues, which they did last week<\/a>. Google then provided a counter-counter-proposal<\/a>.<\/p>\n That counter-counter-proposal, penned by Google\u2019s Ryan Sleevi, was sent to Symantec in mid-April and parts of it were publicly shared last week. It suggested Symantec partner with another CA, \u201cthereby removing Symantec infrastructure and validation processes from the equation.\u201d<\/p>\n In the future, Symantec could then acquire this CA, or its roots, and bring issuance and validation back under its roof. The specific conditions for this were not detailed.<\/p>\n While this is a radical suggestion, Sleevi noted that it would \u201cmitigate our primary concerns related to new certificates,\u201d eliminating the need to place restrictions on new Symantec SSL certificates.<\/p>\n Because all new Symantec certificates would be handled by a separate PKI infrastructure, it would give browsers complete confidence that mistakes related to the existing infrastructure were eliminated. Existing certificates would still need to be dealt with, but this would essentially provide a clean start for Symantec\u2019s CA.<\/p>\n In today\u2019s report, Mozilla said that they too think this is the best way forward for Symantec and are urging the company to consider it. Mozilla also proposed a fall-back if Symantec decides not to \u2018restart\u2019 their PKI.<\/p>\n They key details of this proposal are:<\/p>\n Note that these restrictions only occur if Symantec decides to continue operating under its existing PKI infrastructure.<\/p>\n Notably, the Mozilla Symantec proposal does not involve removing Symantec\u2019s EV status (Google\u2019s proposed plan does). Its report states \u201cthe risk has now been eliminated, and no existing Symantec EV certificates are affected. Therefore\u2026 the removal of EV status seems unwarranted.\u201d<\/p>\n\n