Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla Tells Symantec to Accept Google's CA Proposal

posted by martyb on Thursday May 04 2017, @04:32PM   Printer-friendly
from the Symantec's-antics dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Google announced in March its intent to stop trusting all Symantec-issued digital certificates due to the certificate authority's failure to play by the rules. Symantec, its subsidiaries and its partners had been accused of making too many exceptions from Baseline Requirements (BR) in favor of their customers.

The developer of the Chrome web browser initially proposed the reduction of the validity period for newly issued Symantec certificates to nine months or less, gradual distrust and replacement of all existent certificates, and the removal of extended validation (EV) status for Symantec certificates.

[...] After some debate, Google made a second proposal that involves Symantec partnering with one or more existing CAs and using their infrastructure and validation process. Symantec would still handle business relations with customers and all CAs would be cross-signed by the company.

[...] Mozilla has advised Symantec to accept Google's second proposal and said it's open to discussing its implementation. However, if Symantec refuses, Mozilla may take alternative action to "reduce the risk from potential past and future mis-issuances by Symantec, and to ensure future compliance with the BRs and with other root program requirements."

Source: http://www.securityweek.com/mozilla-tells-symantec-accept-googles-ca-proposal

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mozilla Tells Symantec to Accept Google's CA Proposal | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by bradley13 on Thursday May 04 2017, @06:07PM (3 children)

    by bradley13 (3053) on Thursday May 04 2017, @06:07PM (#504450) Homepage Journal

    Still, they should have been distrusted (detrusted?). If it nukes a third of the Internet, then it does - any place that matters would replace their cert within a day. Heck, give customers a week's warning, and the effect would be negligible.

    Google is being far too nice.

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by zocalo on Thursday May 04 2017, @06:32PM (2 children)

    by zocalo (302) on Thursday May 04 2017, @06:32PM (#504465)
    I suspect that will be the next step if Symantec doesn't bite the bullet on Google's proposal. Mozilla has already demonstrated that they are not above effectively killing a major CA with their handling of the similar failure to follow the Baseline Requirements with WoSign/StartCom. That they are siding with Google on this should be all the wake-up that Symantec needs; it might be painful, but it's still a major lifeline compared to the alternative approach that was used on WoSign/StartCom, and that time based de-trusting approach could absolutely be used on Symantec if they don't up their game.
    --
    UNIX? They're not even circumcised! Savages!

    • (Score: 2) by edIII on Thursday May 04 2017, @07:28PM (1 child)

      by edIII (791) on Thursday May 04 2017, @07:28PM (#504496)

      I can't imagine why Symantec wouldn't take the deal. Considering what has happened, they are being allowed to *continue* to service the customer accounts, take money, and basically operate.

      This is forced outsourcing if anything, and a 3rd party company saying we're going to help with the Q&A and cross sign your certs. They failed at the core business of a CA, and now have others helping them.

      I'm reminded of Deadpool here:

      Fellas! Hey! Hey! You only work for that shit-spackled muppet fart. So, I'mma give you a chance for y'all to lay down your firearms... in exchange for preferential,bordering on gentle... possibly even lover-like treatment...

      They're being allowed to live and make money. That's pretty damn gentle lover-like treatment to me :)

      --
      Technically, lunchtime is at any moment. It's just a wave function.

      • (Score: 2) by zocalo on Thursday May 04 2017, @09:30PM

        by zocalo (302) on Thursday May 04 2017, @09:30PM (#504541)
        Nor can I, but Symantec has been "advised" to clean up its act (or rather its partner's and reseller's acts) on BR adherance on previous occasions and failed to do anything about it, so now Google and Mozilla are basically adding an "or else" to the advice, so it's really a matter of how stubborn they are going to be. Symantec is probably fortunate that Google is on point with this, because Mozilla's track record on such half-assed adherance to the BR and failure to fix problems is nothing like as lenient and they'd have probably gone straight for a WoSign-style phased revocation of the problem certificates when Symantec declined the first proposed solution. Still, between Android and Chrome's marketshare dominance, plus the number of third parties that use Mozilla's trust DB (including most *NIX systems), it's pretty obvious that Symantec doesn't have a strong hand to play with so holding out for an even better deal probably won't end well for them.
        --
        UNIX? They're not even circumcised! Savages!