Mozilla takes a turn slapping Symantec's certification SNAFU

Take Google's advice and get out of CA infrastructure'

By Richard Chirgwin

Posted in Security, 3rd May 2017 05:27 GMT

Mozilla has weighed in to the ongoing Symantec-Google certificate spat, telling Symantec it should follow the Alphabet subsidiary's advice on how to restore trust in its certificates.

Readers will recall that Symantec has repeatedly issued certs that didn't ring true with browser-makers and at the end of April 2017 Google started a countdown, the conclusion of which would see its Chrome browser warn users if it encountered Symantec certs.

Symantec offered up a remediation plan, mostly based on putting auditors through the joint. But it looks like that's not sufficient for Mozilla.

UK-based Mozilla developer Gervase Markham has posted his note to Symantec at Google Docs here.

Mozilla strongly suggests that Symantec take a deep breath and swallow the bitter pills doctor that Google has prescribed here.

Chief among Google's suggestions is that Symantec work with one or more existing certificate authorities (CAs) to take over its troubled infrastructure and rework its validation processes.

That would relegate the company to more-or-less reseller status, letting it maintain its customer relationships but relieving it of responsibility for ongoing operations.

The alternative, Markham writes, is for Symantec to:

  • Clean up and document the extent of its publicly-trusted PKI and “cut off parts” that don't comply with the CA/Browser Forum's Baseline Requirements;
  • Mozilla should “restrict newly-issued Symantec certificates to a maximum validity period of 13 months; and
  • Over time, Markham says, Mozilla will also reduce the lifetime of existing Symantec certificates to 13 months.

Why so harsh? The core of Mozilla's argument is that it just doesn't feel Symantec grasps how serious its issues are. As Markham writes, Symantec cannot establish that it “adequately demonstrates that they have grasped the seriousness of the issues here, and that their proposed measures mostly amount to doing more of what, in the past, has not succeeded in producing consistent high standards.”

The reason, Markham writes, isn't wrongdoing (so “we are not in StartCom/WoSign territory”), it's simply that Symantec seems to have lost control of its intermediaries. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Neil Young slams Google, after you log in to read his rant with Google or Facebook

Heart Of Gold meets Piece Of Crap

Scammers use Google Maps to skirt link-shortener crackdown

Chocolate Factory's map service cuts commute times, URL lengths

Google borg gobbles Israeli cloud migration startup

Alas poor Velostrata! You knew those AWS and Azure workloads well

'Don't Google Google, Googling Google is wrong', says Google

Chocolate Factory unwraps developer style guide, squibs the thorny ISO date debate

Android devs prepare to hit pause on ads amid Google GDPR chaos

Hey Google. How will we eat?

Dropbox to let Google reach inside it and rummage about

Create and store GDocs in Dropbox, with admin policies preserved

Google listens to New Zealand just long enough to ignore it

'We can't delete court cases, and you can't make us'

US judges say you can Google Google, but you can't google Google

The Chocolate Factory is spared the aspirin treatment by the 9th Circuit Court

Twitter signs for Google cloud at list price of about $10m a month

Shifts Hadoop clusters and their 300PB of data, not the stuff that lets you tweet

Apple: Er, yes. Your iCloud stuff is now on Google's servers, too

You can't escape The Circle