Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Mozilla Tells Symantec to Accept Google’s CA Proposal

Mozilla has shared details about its own position in the debate between Symantec and Google regarding improper issuance of digital certificates. The organization advised Symantec to accept Google’s offer, but it has also described alternative action it may take if an agreement is not reached.

Mozilla has shared details about its own position in the debate between Symantec and Google regarding improper issuance of digital certificates. The organization advised Symantec to accept Google’s offer, but it has also described alternative action it may take if an agreement is not reached.

Google announced in March its intent to stop trusting all Symantec-issued digital certificates due to the certificate authority’s failure to play by the rules. Symantec, its subsidiaries and its partners had been accused of making too many exceptions from Baseline Requirements (BR) in favor of their customers.

The developer of the Chrome web browser initially proposed the reduction of the validity period for newly issued Symantec certificates to nine months or less, gradual distrust and replacement of all existent certificates, and the removal of extended validation (EV) status for Symantec certificates.

Symantec called Google’s statements “exaggerated and misleading,” and pointed out that the changes could have a serious impact for its customers.

After some debate, Google made a second proposal that involves Symantec partnering with one or more existing CAs and using their infrastructure and validation process. Symantec would still handle business relations with customers and all CAs would be cross-signed by the company.

“It’s worth noting that this proposal minimizes any impact to Symantec customers, existing or new,” said Ryan Sleevi, a software engineer on the Google Chrome team. “It provides a graceful transition path that does not negatively impact existing customers who have special needs – such as those of pinning or certain roots. It does not prohibit Symantec from continuing to use and operate its existing infrastructure for non-Web cases, but eliminates the security risk from doing so.”

Advertisement. Scroll to continue reading.

Last week, Symantec came forward with its own proposal for restoring trust. The cybersecurity giant’s proposal includes auditing of all active certificates by a third-party auditor, more transparency, shorter validity for certificates, and several operational improvements.

Google is still not satisfied with the steps Symantec has offered to take, and it plans on continuing public discussions on the matter.

Mozilla, which has been conducting its own investigation into Symantec’s CA business, also has some concerns regarding Symantec’s proposal. The browser vendor says some of the proposed actions either don’t make any difference or they are simply not enough for regaining trust.

Mozilla has advised Symantec to accept Google’s second proposal and said it’s open to discussing its implementation. However, if Symantec refuses, Mozilla may take alternative action to “reduce the risk from potential past and future mis-issuances by Symantec, and to ensure future compliance with the BRs and with other root program requirements.”

Mozilla’s proposal requires Symantec to clean up its public key infrastructure (PKI) and cut off parts that are not compliant with BR. The organization could also limit the validity of newly-issued certificates to 13 months, and progressively reduce the lifetime of existing certificates to the same period.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

WatchGuard has named Vincent Hwang as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.