Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Peace in our time! Symantec says it can end Google cert spat

It's basically a promise to do better and not mess things up

Symantec is hoping to get its certificates back on Google's trust list.

In March, an ongoing spat between the two companies came to a head. After a scandal in 2015 over three certs issued by Symantec subsidiary Thawte, the number grew to 23, then 164, then 2,458 within a month.

Google decided in December 2015 to distrust the company's 'Class 3 Public Primary CA' root certificate.

Things went quiet for a while, but in January Google started another investigation, turned up an alleged 30,000 dodgy certs, and decided to sin-bin Symantec.

To stave off disaster, Symantec has put forward another proposal to put things right, published here.

Saying it wants a “collaborative process” (rather than leaving the Chocolate Factory in charge of the guillotine), Symantec's Roxane Divol, executive veep and general manager at Symantec Website Security, says a fix requires “understanding the needs of all parties”.

The key actions Symantec proposes are:

  • Rather than have Chrome remove Extended Validation status from Symantec certs, the company offers a third-party audit of all its EV certs, to be completed by August 31, 2017;
  • Another third-party audit will cover all active certificates issued by partners, including CrossCert, Certisign, Certsuperior and Certisur;
  • A third WebTrust audit will cover December 1, 2016 to May 31, 2017, and after that, Symantec will conduct WebTrust audits quarterly;
  • Audits will be reported quarterly;
  • ”We will work through the CA/B forum to recommend new (or where applicable, updated) guidelines for appropriate customer exception requests to baseline requests”, the post states; and
  • Symantec promises to get the lead out of its pants when responding to the browser community's concerns.

The company also says it's going to offer SSL/TLS certs with three-month validity; it will run a domain validation of all certificates valid longer than nine months (at no extra cost to customers); and it promises to improve its back-end processes.

The company says with these actions, it hopes to avoid the inconvenience that would befall embedded systems and mobile apps with pinned certificates, and disruption to enterprise apps chained to Symantec roots. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like