[OffTopic] Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates


#1

Hi,

Not related to Let’s Encrypt but I think it is worth to take a look to this issue as Chromium is decreasing its trust to existing Symantec certificates.

[Chromium group]
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs

[BoingBoing post]

[ArsTechnica post]

Bad news to Symantec certificate customers… well, Symantec, GeoTrust, Thawte, Verisign, etc. all of them part of Symantec.

Cheers,
sahsanu


#2

Puts on his tin foil hat:

Could it have anything to do with Google starting its own CA?


#3

Could it have anything to do with Google starting its own CA3

Probably has more to do with Symantec failing to live up to the CA Browser Forum Baseline Requirements.


#4

they are starting with EV certs so thos customers will be pissed. Paying extra for certs and not getting the trust in 60% of the browsers used

wonder how many times we will need to explain no ev certificates from LE


#5

But is that really true? Independend source?


#6

But is that really true? Independend source?

No independent source needed. Symantec is the source for:

  • Certificates they never should have issued (signed by Symantec, nonrepudiation and all that)
  • Required audit reports they can’t produce

#7

The initial discussion of their policy violations happened on mozilla.dev.security.policy.

I think an ulterior motive is a bit far-fetched here. Their CA does not currently issue certificates to the general public, and I would expect if it ever does, it would be something along the lines of Amazon’s ACM, i.e. a free add-on to their cloud offerings and other products that support custom domains. They’re a platinum sponsor of Let’s Encrypt. They’re also not big fans of EV (their CA doesn’t have EV status either) and likely realize that there’s not a whole lot of money to be made with DV nowadays.

The decision seems reasonable to me. Symantec were caught issuing test certificates for domains they didn’t own a couple of years ago. This included some high-value domains like google. They were caught and Google decided to require CT for all Symantec-issued certificates, in addition to asking Symantec to ensure something similar can’t happen again.

Something similar obviously did happen given the recently-discovered test certificates. Additionally, in the course of the investigation, it became obvious that various Registration Authorities were not sufficiently audited and trained. I can sympathise with the fact that Symantec is the oldest CA around (if you include their various acquisitions) and is dealing with a lot of legacy issues because of that, but if you contrast that with the work done by other CAs like DigiCert after their acquisition of another ancient root CA, it becomes clear that Symantec shouldn’t be trusted with the closest thing we have to the keys to the internet.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.