Symantec CA remediation plan faces more delays

Mozilla's conditions for Symantec

As for when the Symantec CA infrastructure could be turned over to some third party, Medin wrote, "We expect to have the required feedback to inform a project plan by the end of June, at which time we will come back to Mozilla and the community regarding suggested dates that are both aggressive and achievable under this approach, by Symantec" and the third-party CAs that Symantec plans to collaborate with.

Mozilla's second addition, Markham said, was "to be certain that we are fully distrusting the old PKI" sooner than November 2020 -- the time when all certificates issued through the old Symantec CA PKI would naturally expire.

"As things currently stand technically, distrusting the old PKI would mean removing the roots, and so Symantec would have to move their customers to the new PKI at a rate faster than natural certificate expiry," Markham wrote. "Rather than arbitrarily set a date here, we are willing to discuss what date might be reasonable with Symantec, but would expect it to be some time in 2018."

Markham also noted that while it is important that Symantec is registering all certificates through Google's Certificate Transparency (CT) project, "Firefox currently does not act upon embedded CT information, and so CT-based mechanisms are not a suitable basis for us to determine trust upon. Were that to change, we may be able to consider a continued trust of CT-logged certs, but would still want to dis-trust non-CT-logged certs sooner than November 2020."

However, Symantec wants Mozilla to use CT so it can coordinate with other browsers such as Google Chrome, which do use CT.

"While we understand that Firefox does not act upon CT information, CT, independent of any one browser, still provides domain owners the ability to determine if certificates issued to their domains were authorized," Medin wrote. "CT monitors are easily available (and some free). The ability for members of the Mozilla community to leverage CT has required no work by Mozilla (e.g. to support [signed certificate timestamp] extensions or any of CT's technical implementation), but nevertheless has allowed issues to be found and the associated risk to be managed. We see this as an appropriate risk-based approach to transitioning from the current PKI within Firefox to a new one while limiting unnecessary customer disruption."

Symantec CA audits at issue

Mozilla's final point requires Symantec to provide the web browser community with access to potentially sensitive audit results, with the expectation that Symantec may expect that those results be placed "behind a login (or require it to be so placed) as long as Mozilla is allowed to give access to any member of our community that we wish."

Symantec has said in the past it is willing to share audit results -- as long as it can "provide such reports under non-disclosure agreements where they include detailed information of a sensitive nature." The sensitive material Symantec aims to protect includes detailed information related to the tests run by WebTrust audit firms.

Medin noted that Symantec is still willing to share sensitive reports under non-disclosure, however, "[e]nabling any member of the Mozilla community, which we interpret as potentially an unlimited number of persons, to access detailed audit reports is difficult to allow without a clear understanding and agreement on the level of detail we would share or redact."

Symantec didn't completely rule out the possibility of opening up its audit information. "Our assumptions about the information you ask us to disclose may be different from yours," Medin wrote. "Therefore, we would like to better understand the scope of the information you want to see to determine whether exposure of that information is a manageable risk and acceptable to the audit firms."