During July last year, the Google Chrome team, together with the PKI community diverged a strategy to not only reduce, but also to remove confidence in Symantec’s current certificates. During the previous 18 months, Google has repeatedly opposed the way that Symantec issues TLS (Transport Layer Security) certificates, with Symantec pledging to do better. This followed various incidents implemented by Symantec Corporation’s PKI businesses, who issued several dubious authentication certificates that did not meet the obligations of the CA/Browser Forum Baseline requirements.
The Symantec Corporation, operating various Certificate Authorities, under numerous brand names, including RapidSSL, GeoTrust, Equifax, VerisSign and Thawte were subject to an investigation, which concluded that Symantec has assigned various organisations with the capability of issuing certificates, without the necessary or appropriate management, even though they had been conscious of these security shortcomings for some time. This was brought to the attention of the public following a posting to the newsgroup, mozzila.dec.security.policy.
Plan to uphold users’ privacy and security
The PKI community and the Google Chrome Team diverged their plan at the end of July 2017, to not only decrease, but also to finally remove, trust in Symantec’s organisation, in order to sustain privacy and security for any users browsing the web. Following a significant debate by members of the blink-dev forum, they devised a plan which would allow sufficient time to transition to a Managed Partner Infrastructure that would operate independently, allowing Symantec time to redesign and modernise its organisation, to comply with industry standards. So commenced the timeline to achieve this goal, detailing when site administrators may require new certificates.
Operations teams, network administrators and security teams have busy times ahead, with the process detailed in 3 clear-cut phases:
- After December 2017 – No trust in any certificates issued from Symantec’s legacy infrastructure.
- Prior to June 2016 – No trust in any certificates issued from Symantec’s legacy infrastructure
- No trust in any certificates issues from Symantec’s legacy infrastructure
The first phase will roll out on March 15, 2018 with Chrome Beta Version 66. Following this, Chrome 70 will release around October 23, 2018, which will totally remove trust in Symantec’s old infrastructure and any previous certificates issued by them.