{"id":4142,"date":"2017-05-24T11:31:54","date_gmt":"2017-05-24T15:31:54","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=4142"},"modified":"2017-06-01T17:24:17","modified_gmt":"2017-06-01T21:24:17","slug":"google-and-symantec","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/google-and-symantec\/","title":{"rendered":"Google and Symantec Trust Issues Near Conclusion"},"content":{"rendered":"<h2>\u00a0Symantec Will Partner With A CA To Issue Certificates<\/h2>\n<p>Last Friday Google and Symantec <a href=\"https:\/\/groups.google.com\/a\/chromium.org\/d\/msg\/blink-dev\/eUAKwjihhBs\/ovLalSBRBQAJ\" rel=\"nofollow\">shared a proposal<\/a> that will allow Symantec to move forward following the violations and mis-issuances that were uncovered earlier this year.<span id=\"newline\"><\/span><\/p>\n<p>Google and Symantec have both noted that some of the specifics may change but they are close to \u201cconverging on [a proposal] that strikes a good balance of addressing security risk and mitigating interruption.\u201d<\/p>\n<p>The previous proposal from Google involved a complicated set of restrictions on Symantec certificates as well as a staged distrust of existing certificates. This would have put Symantec and its customers into a tricky position as Symantec would have been forbidden from offering the same features as other CAs.<\/p>\n<p>That has been thrown out in favor of a more radical change which will remove most of the burden from Symantec\u2019s customers.<\/p>\n<p>Under the new proposal, Symantec will be partnering with another CA to continue issuing certificates while it revamps its own operations. The majority of the work required to execute this plan will be undertaken by Symantec itself. Users will see relatively few changes and will be able to get new certificates that do not have any restrictions placed on them.<\/p>\n<p>For browsers, it was incredibly important to separate new and old Symantec certificates with a new set of root certificates. This gives them the ability to control which certificates are trusted through technical measures \u2013 instead of policies \u2013 which is considerably more reliable.<\/p>\n<p>Here are the highlights:<\/p>\n<ul>\n<li>As with previous plans, these actions apply to all Symantec operated CAs which includes GeoTrust, Thawte, and RapidSSL.<\/li>\n<li>Starting August 8<sup>th<\/sup>, Symantec certificates will need to be issued by a \u201cManaged CA\u201d \u2013 another certificate authority who Symantec has partnered with. It is not yet known who will be working with Symantec.<\/li>\n<\/ul>\n<p>These certificates will be cross-signed by existing Symantec roots in order to leverage their expansive root ubiquity. This allows new certificates to be trusted on the huge variety of legacy devices that trust Symantec\u2019s existing roots.<\/p>\n<ul>\n<li>Certificates issued by this Managed CA will not face any unique restrictions. This means Symantec certificates will be able to be issued in accordance with the industry standard rules. Their EV certificates will continue to be displayed with the green address bar UI.<\/li>\n<li>Existing certificates issued before June 1<sup>st<\/sup> 2016 (when Symantec certificates were required to comply with Chrome\u2019s Certificate Transparency policy) will need to be replaced. Chrome will distrust those certificates over a two-phase period starting in August (with the release of Chrome 62).<\/li>\n<li>Existing certificates issued after June 1<sup>st<\/sup> 2016 will not be affected. Owners of these certificates will not need to have them revalidated\/reissued, or see any reductions in validity period. EV certificates will continue to have EV UI.<\/li>\n<li>While all of this is happening Symantec will be providing audits and reports to Google and the community to show its progress on fixing the errors that led to its violations. They will also be working on submitting new root certificates to root programs so that there can be a technically viable way to begin validating and issuing certificates again.<\/li>\n<\/ul>\n<p>Symantec\u2019s partner CA will continue to handle issuance and validation until Symantec\u2019s new root certificates are accepted into trust stores. This is no small feat for any company \u2013 including veteran CAs. While some root programs \u2013 like Mozilla\u2019s \u2013 are transparent and well documented, others (<em>*cough*<\/em> Apple <em>*cough*<\/em>) are spoken of like urban legends and can take significantly longer to work with.<\/p>\n<p>It will likely take two or more years before Symantec is ready to bring everything back in-house. But in the meantime, their customers will continue to be able to buy and use certificates as they have been, with no complicated or inconvenient restrictions.<\/p>\n<p>Again, note that this is <em>still <\/em>not a final plan. While this process seems arduous, it makes sense when you consider the scale of Symantec\u2019s business. On Friday, Symantec said that it \u201c[is] carefully reviewing this proposal and will respond shortly with feedback for the community\u2019s consideration.\u201d We expect any final tweaks to made shortly, at which point we will post more details regarding upcoming changes and actions that Symantec certificate users will need to be prepared for.<\/p>\n<p>Mozilla is in a similar position as Google: it has\u00a0<a href=\"https:\/\/docs.google.com\/document\/d\/1RhDcwbMeqgE2Cb5e6xaPq-lUPmatQZwx3Sn2NPz9jF8\/edit\" rel=\"nofollow\">proposed a plan<\/a> that still needs to be fine-tuned. It is very similar to Google\u2019s, with one major difference being that Symantec certificates would be limited to 400 days of validity. Mozilla is also debating the idea that Symantec needs to outsource its CA duties while the new PKI is started. Mozilla is conscious of the fact that Symantec will have to follow the strictest set of rules across all root programs, and therefore Mozilla is trying to bring its plan to parity with Google\u2019s.<\/p>\n<p>As is the norm for the industry, Microsoft and Apple have said very little and have not made any public statement on what they will be doing. Historically their root programs have been more lenient, and are therefore less important when determining impact to users.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0Symantec Will Partner With A CA To Issue Certificates Last Friday Google and Symantec shared a proposal that will allow Symantec to move forward following the violations and mis-issuances that&#8230;<\/p>\n","protected":false},"author":2,"featured_media":4145,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[131,179,467,139],"class_list":["post-4142","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-google","tag-ssl-certificates","tag-ssltls","tag-symantec","post-with-tags"],"views":16187,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/iStock-503870180.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=4142"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4142\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/4145"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=4142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=4142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=4142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}