14 DAY TRIAL // Symantec is trying to reassure its CA customers that the situation with Google isn't as bad as it seems to be.
In a message sent out to customers, Symantec is trying to downplay Google's intended "punishment" for the certificate issuer.
The tech giant announced last week that it was planning to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities for Chrome, with the changes to take effect immediately. The decision came after the company conducted an investigation and discovered that at least 30,000 certificates, spanning over several years, could have been mis-issued.
"This is also coupled with a series of failures following the previous set of mis-issued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," Google explained.
At this point, this is just a proposal, but, if implemented, a large number of websites will suffer, including the likes of PayPal.
Downplaying the impact
For its part, Symantec seeks to reassure customers that they can continue to trust their SSL/TLS certificates, using as reasoning the fact that Google has outlined proposals, not actions, which they intend to object to.
"In the event, Google implements its proposal, Symantec will ensure your websites, webservers or web applications continue to work across browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period," writes Symantec's VP & GM for Website Security, Roxane Divol.
"In addition, Google’s proposal requires shorter validity certificates, which we would support. We anticipate Google may attempt to impose this shorter validity period on the entire industry, as they have previously tried to do so through an initiative at the CA/Browser forum that was voted down. Shorter certificate validity periods increase customer expense, which we are working to reduce by making considerable investments in automation," she adds.
The company goes on to say that Google's claim that they have mis-issued 30,000 certificates is not true, referring to the event in January where 127 certificates were identified as mis-issued by a third party. What they avoid saying is that Google was pushed to conduct its own investigation following that January report and came up with the new number of 30,000 certificates.
Safety problem
In the same forum, Google's Chromium experts carried on with the discussion and explained that the issue with these certificates stemmed from improperly supervised delegated third parties. However, the inability to technically identify these certificates or independently assess that the issues were limited to these certificates made Google see them as a security risk.
Google's Ryan Sleevi explains that Symantec has already terminated their relationship with these partners regarding new certificate issuance so they have some level of trust that any new certificates would follow policies and practices.
"This proposal attempts to restore that trust to the sufficient and necessary level, by describing a process and set of changes that can be made to Chrome to provide a sufficient level of assurance, and to mitigate further risks should that trust be found to be misplaced," Sleevi explains.