While Symantec and the web browser community continue to negotiate solutions to Symantec's certificate authority...
problems, the two sides still appear to be far apart.
Symantec recently pushed back against Mozilla's plans for the certificate authority (CA) giant to restore trust in its public key infrastructure, objecting to virtually all of Mozilla's proposed additions. Symantec said it cannot meet Mozilla's timetable for the plan, but the vendor did not offer an alternative schedule. The consensus plan, backed by Mozilla and Google, is intended to provide a framework under which Symantec certificates will be allowed to remain in trusted browser stores.
Under the consensus plan, the Symantec CA must rebuild its public key infrastructure (PKI) from scratch as a result of numerous certificate misissuances, as well as other irregularities uncovered since 2015, but the CA giant made it clear that it will not be able to meet Mozilla's Aug. 8 deadline for a new PKI -- or for turning over its operations to one or more third-party CAs capable of issuing certificates on behalf of Symantec until it can run its own operations.
Mozilla developer Gervase Markham suggested three additions to the plan: requiring Symantec to meet the Aug. 8 deadline for moving to a new PKI for continued inclusion into the Mozilla Root Program; requiring Symantec to accelerate moving its customers' existing certificates to the new PKI; and requiring Symantec to make available full audit results to Mozilla and, through Mozilla, to any member of the Mozilla community.
The response was posted by Steve Medin, public key infrastructure (PKI) policy manager at Symantec, on June 12, which was Mozilla's deadline for comments from Symantec. The response echoed the security giant's blog post of June 1, in which it publicly accepted the need to replace its PKI while objecting to much of what Mozilla asked for remediating trust in certificates issued by Symantec.
Mozilla's conditions for Symantec
As for when the Symantec CA infrastructure could be turned over to some third party, Medin wrote, "We expect to have the required feedback to inform a project plan by the end of June, at which time we will come back to Mozilla and the community regarding suggested dates that are both aggressive and achievable under this approach, by Symantec" and the third-party CAs that Symantec plans to collaborate with.
Mozilla's second addition, Markham said, was "to be certain that we are fully distrusting the old PKI" sooner than November 2020 -- the time when all certificates issued through the old Symantec CA PKI would naturally expire.
"As things currently stand technically, distrusting the old PKI would mean removing the roots, and so Symantec would have to move their customers to the new PKI at a rate faster than natural certificate expiry," Markham wrote. "Rather than arbitrarily set a date here, we are willing to discuss what date might be reasonable with Symantec, but would expect it to be some time in 2018."
Markham also noted that while it is important that Symantec is registering all certificates through Google's Certificate Transparency (CT) project, "Firefox currently does not act upon embedded CT information, and so CT-based mechanisms are not a suitable basis for us to determine trust upon. Were that to change, we may be able to consider a continued trust of CT-logged certs, but would still want to dis-trust non-CT-logged certs sooner than November 2020."
However, Symantec wants Mozilla to use CT so it can coordinate with other browsers such as Google Chrome, which do use CT.
"While we understand that Firefox does not act upon CT information, CT, independent of any one browser, still provides domain owners the ability to determine if certificates issued to their domains were authorized," Medin wrote. "CT monitors are easily available (and some free). The ability for members of the Mozilla community to leverage CT has required no work by Mozilla (e.g. to support [signed certificate timestamp] extensions or any of CT's technical implementation), but nevertheless has allowed issues to be found and the associated risk to be managed. We see this as an appropriate risk-based approach to transitioning from the current PKI within Firefox to a new one while limiting unnecessary customer disruption."
Symantec CA audits at issue
Mozilla's final point requires Symantec to provide the web browser community with access to potentially sensitive audit results, with the expectation that Symantec may expect that those results be placed "behind a login (or require it to be so placed) as long as Mozilla is allowed to give access to any member of our community that we wish."
Symantec has said in the past it is willing to share audit results -- as long as it can "provide such reports under non-disclosure agreements where they include detailed information of a sensitive nature." The sensitive material Symantec aims to protect includes detailed information related to the tests run by WebTrust audit firms.
Medin noted that Symantec is still willing to share sensitive reports under non-disclosure, however, "[e]nabling any member of the Mozilla community, which we interpret as potentially an unlimited number of persons, to access detailed audit reports is difficult to allow without a clear understanding and agreement on the level of detail we would share or redact."
Symantec didn't completely rule out the possibility of opening up its audit information. "Our assumptions about the information you ask us to disclose may be different from yours," Medin wrote. "Therefore, we would like to better understand the scope of the information you want to see to determine whether exposure of that information is a manageable risk and acceptable to the audit firms."
Read how Certificate Transparency can help prevent certificate abuse
Learn how to stop forged certificates from trusted vendors
Follow the timeline for Symantec CA irregularities