After investigating a number of issues with Symantec certificates, Mozilla joined Google in urging the antivirus...
vendor to temporarily hand over its certificate authority operations to another trusted organization.
Last week, Symantec announced a plan for sweeping changes within its certificate authority (CA) business following public criticism and warnings from Google and Mozilla. However, Mozilla this week found Symantec's proposal to remediate its certificate authority business to be lacking and posted its own remediation proposal, urging Symantec to essentially outsource its operations to another trusted certificate authority.
Mozilla's proposal comes after weeks of scrutiny from two of the three major web browsers. Google posted its first proposal, titled "Intent to Deprecate and Remove: Trust in Existing Symantec-issued Certificates," in March. It called for reducing the validity period for new Symantec certificates to nine months, revalidating and replacing all Symantec-issued certificates, and removing the Extended Validation (EV) status of Symantec-issued certificates for at least one year.
However, after meetings in April with Google, Symantec was offered an alternative plan, under which it would work together with one or more existing CAs that could take over and replace Symantec's problematic infrastructure and validation processes, while allowing Symantec to continue its business relationships with its customers.
"Chrome's second proposal suggested that Symantec stand up a new [public key infrastructure (PKI)], cross-signed by their existing roots. Actual issuance for this PKI would initially be contracted out by Symantec to another trusted CA or CAs, and then brought back in house later," wrote Gervase Markham, software engineer at Mozilla, in the new proposal.
"We feel that Google's second proposal to Symantec appropriately balances the need to minimize impact on the ecosystem with the need for Symantec to make a break with the past and re-establish trust in the future. So we would encourage Symantec to reconsider whether implementing it might be an option they could take, and are open to discussing that possibility with them," Markham wrote.
Use of audits is not enough
Mozilla's review of Symantec's comments and counterproposal mostly validated Mozilla's concerns over Symantec certificate issues, including worries about a heavy reliance on the use of audits.
Symantec's proposal calls for extensive use of third-party auditors to audit all active EV certificates; to audit all active certificates, as well as Symantec's remediation process; to increase frequency of audits to every three months until Symantec achieves four consecutive "clean" quarterly audits; and more.
"While audit has a place in managing CA behavior, it is difficult to use it as a process to restore trust; there are enough gaps in the audit regime (and things audits are not designed to opine about) that while Mozilla sees clean audits as a baseline requirement for being in our root program, we don't see them as a guarantor of appropriate conduct," Markham wrote. "Symantec, of all organizations, should know this after the issues they had with their [registration authority] program and its audits."
Mozilla's revised plan, at this point, is less onerous than the one Google first proposed in March.
Gervase Markhamsoftware engineer at Mozilla
While Mozilla presented its own plan for Symantec certificates, the company urged Symantec to go with Google's proposal to avoid losing trust in its certificates. "Symantec should seriously consider Google's proposal for simplifying and restoring trust in their public PKI," Markham wrote.
If Symantec does not choose Google's proposal, Mozilla's proposal would require Symantec to "immediately come up with a plan, in short order, to cut off via intermediate revocation (which we will carry in OneCRL) all parts of their public PKI which issue certificates trusted by users of Mozilla's root store and are not [Baseline Requirement-compliant]," Markham wrote.
Once the plan is complete, Symantec would be required to prove it by providing "a full PKI diagram of the hierarchy under all of the roots it has in the Mozilla root program, including all sub-CAs and cross-signs, with annotations to show which are technically capable of issuing TLS certs, which are EV-enabled, and with evidence of appropriate audits for all the remaining connected pieces. This will not be a simple document -- but then, an inability to produce such a thing in a reasonable timeframe would be further reinforcement of the idea that Symantec is not in control of the scope of its PKI."
Mozilla's plan also reduces maximum lifetime to 13 months for newly issued Symantec certificates, with existing certificate lifetime being gradually reduced to 13 months, as well.
Symantec Extended Validation certificates no longer an issue
The news from Mozilla was not all bad for Symantec. Noting that while issuance of Extended Validation certificates had proven problematic in the past, Symantec has already taken action to gain control over EV certificate issuance.
"The loss of control of EV issuance (via sub-CAs uncontrolled by Symantec in the [federal PKI program]) was serious," Markham wrote. "However, the risk has now been eliminated, and no existing Symantec EV certificates are affected. Therefore, if we are basing the presence of absence of EV status solely on the quality of EV vetting (and that is not a given), the removal of EV status seems unwarranted."
Mozilla offered its proposal for comment and discussion until May 8, 2017. The final decision on Mozilla's response to Symantec's certificate authority issues rests with Kathleen Wilson, program manager at Mozilla and the module owner of the CA Certificates Module.
Find out more about Certificate Transparency
Learn about certificate authority risks
Read about benefits of moving public key infrastructure in-house