Submitted via IRC for TheMightyBuzzard
Google announced in March its intent to stop trusting all Symantec-issued digital certificates due to the certificate authority's failure to play by the rules. Symantec, its subsidiaries and its partners had been accused of making too many exceptions from Baseline Requirements (BR) in favor of their customers.
The developer of the Chrome web browser initially proposed the reduction of the validity period for newly issued Symantec certificates to nine months or less, gradual distrust and replacement of all existent certificates, and the removal of extended validation (EV) status for Symantec certificates.
[...] After some debate, Google made a second proposal that involves Symantec partnering with one or more existing CAs and using their infrastructure and validation process. Symantec would still handle business relations with customers and all CAs would be cross-signed by the company.
[...] Mozilla has advised Symantec to accept Google's second proposal and said it's open to discussing its implementation. However, if Symantec refuses, Mozilla may take alternative action to "reduce the risk from potential past and future mis-issuances by Symantec, and to ensure future compliance with the BRs and with other root program requirements."
Source: http://www.securityweek.com/mozilla-tells-symantec-accept-googles-ca-proposal
(Score: 0) by Anonymous Coward on Friday May 05 2017, @03:08AM
Yes, if there were no intermediate certs, the CAs would be a lot more careful about what they sign. That would increase my level of trust.