The reason for this unprecedented punishment seems to be repeated incidents of mis-issued certificates at Symantec that have come to light over the past few years, some of which the company failed to identify on its own despite internal and external audits. The latest case was uncovered this year and involved 127 certificates issued with bogus information or without proper domain ownership verification by a Symantec partner that operated as a registration authority (RA).
Disputed numbers
According to Google, that investigation calls into question the validity of at least 30,000 certificates issued by Symantec partners over a period spanning several years. However, Symantec disputes that number.
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organisations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” Google’s Ryan Sleevi said in a post on the Chrome development mailing list.
This and past incidents have led Google to “no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years,” Sleevi said.
Symantec strongly objected to Google’s plan and criticised its publication. It also described Google’s remarks about the company’s past mis-issuances as “exaggerated and misleading.”
‘Irresponsible’
“This action was unexpected, and we believe the blog post was irresponsible,” the company said in a blog post. “We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.”
The claim about the 30,000 certificates is not true and the 127 certificates that have been confirmed as mis-issued did not result in any consumer harm, Symantec said, adding that the relationship with the partner responsible for the incident has been terminated and that its entire RA program has been discontinued.
“While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs,” Symantec said.
Minimising disruption
The company will work to minimise any potential disruption caused by Google’s proposal if it goes forward, but is open to discussing the matter with Google and finding a mutually agreed-on solution.
Meanwhile, Mozilla, which manages its own root certificate program, is also considering sanctions for Symantec and might have to align them with Google’s.
“Now that Google have announced their action, it is unavoidable to note that it can be preferable for two root stores considering action against a CA to take broadly parallel approaches, so that the CA is not doubly penalised for the same actions,” Mozilla’s Gervase Markham wrote on the organisation’s security policy mailing list.
However, Markham noted that Google’s plan is “at the strong end” of the options he was considering and that calibrating the level of response, which has to take into account previous precedents and sanctions against other CAs, is a difficult process.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers