Google and Symantec approaching a resolution
7 June 2017
Last March, Google announced to take measures against Symantec, affecting SSL certificates issued by Symantec in Google Chrome. On May 19, a collective proposal has been published, reducing risk for users of Symantec certificates as well as retaining Google Chrome users’ safety.
Since the end of May, many conversations have been held regarding the proposals. The entire discussion can be read on the Google Forum. Google’s previous proposal contained many limitations, such as not ‘trusting’ existing certificates issued by Symantec brands and showing Symantec EV certificates as domain validation certificates - without a company name and green address bar.
What has been revised in the new proposal?
The new proposal contains certain revised measures in place of previously determined ones. Symantec will have to co-operate with another certificate authority, keeping an eye on their validation and issuing process. In the meantime, Symantec will have time to revise policies as needed, without Symantec customers and users noticing any disruption.
- The proposal applies to all Symantec brands, including GeoTrust and Thawte;
- From August 8, 2017, all new Symantec certificates will be issued by a ‘managed CA’. It’s not known which certificate authority this will be yet. From February 1, 2018, issuing certificates will be the managing CA’s responsibility as well aside from only validation.
- In order to take advantage of proper browser support, Symantec certificates will be cross-signed by Symantec.
EV certificaten retain their green address bar
By making use of a managed CA, Symantec certificates won’t be limited or restricted in terms of removing EV features such as the green address bar or reducing certificate duration. Aside from this, keep the following points in mind:
- Existing certificates issued before June 1, 2016, must be replaced. Starting from Chrome version 62 (planned for August 2017) these outdated SSL certificates will no longer be trusted.
- Existing certificates issued after June 1, 2016, do not need to be replaced as they will still be valid. Furthermore, their duration won’t be limited.
What will Symantec improve?
Symantec is going to renew and revise their internal PKI systems and procedures for issuing SSL certificates. Audits and reports will be shared and publicly available. New root certificates will be used as well. The partner (‘managed’) CA is going to maintain the issuance process until the new Symantec root certificates will be trusted.
In other words, not only Symantec’s progress will determine how long it will take to get things back on track, but browsers’ root programs speed will too.
What happens next?
Short-term replies by Symantec and Google are expected. Most likely, both organisations will attempt to make a few changes to this proposal, even though nothing is known about the partner CA Symantec will be working with yet.