Peace in our time! Symantec says it can end Google cert spat

It's basically a promise to do better and not mess things up


Symantec is hoping to get its certificates back on Google's trust list.

In March, an ongoing spat between the two companies came to a head. After a scandal in 2015 over three certs issued by Symantec subsidiary Thawte, the number grew to 23, then 164, then 2,458 within a month.

Google decided in December 2015 to distrust the company's 'Class 3 Public Primary CA' root certificate.

Things went quiet for a while, but in January Google started another investigation, turned up an alleged 30,000 dodgy certs, and decided to sin-bin Symantec.

To stave off disaster, Symantec has put forward another proposal to put things right, published here.

Saying it wants a “collaborative process” (rather than leaving the Chocolate Factory in charge of the guillotine), Symantec's Roxane Divol, executive veep and general manager at Symantec Website Security, says a fix requires “understanding the needs of all parties”.

The key actions Symantec proposes are:

  • Rather than have Chrome remove Extended Validation status from Symantec certs, the company offers a third-party audit of all its EV certs, to be completed by August 31, 2017;
  • Another third-party audit will cover all active certificates issued by partners, including CrossCert, Certisign, Certsuperior and Certisur;
  • A third WebTrust audit will cover December 1, 2016 to May 31, 2017, and after that, Symantec will conduct WebTrust audits quarterly;
  • Audits will be reported quarterly;
  • ”We will work through the CA/B forum to recommend new (or where applicable, updated) guidelines for appropriate customer exception requests to baseline requests”, the post states; and
  • Symantec promises to get the lead out of its pants when responding to the browser community's concerns.

The company also says it's going to offer SSL/TLS certs with three-month validity; it will run a domain validation of all certificates valid longer than nine months (at no extra cost to customers); and it promises to improve its back-end processes.

The company says with these actions, it hopes to avoid the inconvenience that would befall embedded systems and mobile apps with pinned certificates, and disruption to enterprise apps chained to Symantec roots. ®


Other stories you might like

  • ESA boss gives update on stricken Sentinel-1B imaging satellite: All is not lost yet

    Still borked, 1C and 1D are waiting in the wings

    ESA Director General Josef Aschbacher has addressed the issue of the space agency's borked Copernicus Sentinel-1B spacecraft in his first annual press conference.

    The last useful bit of data from the Earth observation satellite came last year, and as of yesterday attempts to revive the equipment to normal working order have come to naught.

    It's an interesting anomaly: the spacecraft remains under control and, according to Aschbacher, "the thermal control system is properly working and the regular orbit control manoeuvres are routinely performed." However, attempts to reactivate the power unit that's holding back the transmission of image data have proven unsuccessful.

    Continue reading
  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading

Biting the hand that feeds IT © 1998–2022