Mozilla offers its opinion on the Symantec-Google certificate issue
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
May 3, 2017
We learned today that Mozilla has offered its opinion in the ongoing Symantec-Google certificate debate, telling Symantec it should follow Google's advice on how to restore trust in its SSL certificates.
You might recall that Symantec has repeatedly issued SSL certificates that didn't ring true with browser makers and at the end of April, Google started a countdown, the conclusion of which would see its Chrome browser warn users if it encountered Symantec's almost bogus certificates.
Symantec offered up a remediation plan, mostly based on putting auditors through the process... But it looks like that's not enough for Mozilla. To say that the situation is escalating would be an understatement.
For example, Mozilla developer Gervase Markham has posted a note to Symantec at Google Docs. Mozilla strongly suggests that Symantec take a deep breath and swallow the bitter pills that Google has prescribed.
Chief among Google's suggestions is that Symantec work with one or more existing certificate authorities (CAs) to take over its weakened infrastructure and rework its key validation processes.
That would relegate Symantec to more-or-less the classic reseller status, letting it maintain its customer relationships but relieving it of its most basic responsibility for ongoing internet security operations.
The alternative, Markham writes, is for Symantec to:
The underlying message of Mozilla's opinion is that it just doesn't feel Symantec realizes just how serious its issues are. As Markham asserts, Symantec cannot establish that it adequately demonstrates that they have fully understood the seriousness of the security issues presented, and that their proposed measures mostly amount to doing no more of what has not succeeded in producing consistent high standards in the recent past.
The reason isn't wrongdoing. It's simply that Symantec seems to have lost control of its intermediaries, suggested Markham.
Source: The Mozilla Foundation.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.