Symantec representatives are continuing public dialogue and announced their proposals regarding the issuance of SSL certificates

On March 23, Google Chrome developers in their blog announced the planned consequences for Symantec regarding the incorrect issuance of SSL certificates. Symantec thoroughly analyzed Google’s accusations and prepared a list of actions aimed at enhancing security in the area of issuing SSL certificates.

First of all, Symantec has appealed to its customers to assess the potential impact of the sanctions described by Google for the erroneous issuance of SSL certificates. Among the company's clients are numerous financial services providers, medical organizations, government agencies, etc. If the planned changes by Google will take in effect, it will jeopardize all infrastructure of these organizations as they will seriously suffer due to complex dependencies from Symantec root certificates.

The process of moving to a new certification authority can take several months, and in some cases up to several years, due to uncertain or undocumented dependencies that may arise. In addition, only a few companies managed to implement the automation of the new certificate life cycle, which is required for the secure and beneficial implementation of certificates with a shorter validity period. As Symantec representatives stated, compatibility issues that may arise as a result of full-scale certificate replacement will be very serious and unpredictable.

Symantec suggestions addressed to the community

Symantec admits that it is necessary to ensure full transparency of all actions of the certifying authority, and therefore it has made its proposals aimed at enhancing trust and achieving an unsurpassed level of security.

1. Symantec offered to conduct a retrospective audit of all active EV SSL certificates issued by them in order to prove their reliability and responsibility. They’re planned to attract a third-party company as auditor. This proposal was made in response to the planned refusal to trust the EV certificates (both past and future) from Symantec in the Chrome browser. The company plans to complete a third-party audit by the end of August 2017.
   
2. Historically, Symantec issued certificates either directly or through affiliate registration authorities (RAs). As a second step, Symantec wants to audit all certificates issued by their RA partners, including CrossCert, Certisign, Certsuperior and Certisur. This verification is also planned to be completed before the end of August 2017.
   
3. Symantec will conduct a six-month WebTrust audit between December 1, 2016 and May 31, 2017. After that, the audit will be conducted quarterly, starting from June 1, 2017 to August 31, 2017. The purpose of this action is to ensure maximum transparency in all transactions and new certificates, issued by Symantec.
   
4. A quarterly report will be published from which the community will be able to learn about the progress of external audits and the progress of the company's comprehensive improvement program.
   
5. Symantec will make proposals to the CA / B Forum to improve guidelines related to exceptional customer requests. According to Symantec, the guidelines should be supplemented by items related to the risk assessment, which carries such customer requests. It will also be necessary to prescribe the conditions under which CA / B Forum will be able to effectively approve such exceptional requests (beyond the established rules).
   
6. Symantec plan to revise the procedure of responding to requests from the browser community, making responses more detailed and quick.
   
7. Symantec fully supports the transition to certificates with a shorter validity period. By August 31, 2017 the company plans to offer SSL / TLS-certificates with a three-month validity period, which will be in demand among customers who have already implemented SSL automation. Symantec in the short term will be investing in upgrading certificate issuance systems and creating tools that will allow customers to quickly and securely deploy their certificates and configure their systems.
   
8. Symantec will recheck all issued certificates that are more than 9 months old. Auxiliary verification will increase trust in the original certificate, which is an extension of the basic trust model of the CA.
   
9. The company will increase amount of investments in security and risk assessment. The first step: the involvement of a third-party company to analyze and assess the risks of all operations of the Symantec CA. These actions are planned to be completed by the end of October 2017.
   
10. Symantec will update their Root Program to clearly distinguish between different uses of certificates. For example, specialized roots and / or certification sub-authority will be created to segment customers that use public hierarchies for closed ecosystems, mixed ecosystems, customers that require certificates with a longer lifespan, clients that work with voluminous web traffic etc.
    
11. Symantec plans to deploy its Global Intelligence Network technology infrastructure to identify encrypted websites that are at high risk of threats. These sites will use risk mitigation measures for Symantec certificates.
    

Which steps have already been taken by Symantec 

Symantec has already implemented a number of actions, presented in the proposal above. First, the company decided to cease issuance of certificates through the registration authorities (RA). Also, experts conducted an audit of all certificates issued by their previous RA partners. The certificate report is published in the Symantec blog.

Moreover, Symantec has achieved an unprecedented level of security, by adding all of issued certificates (not only EV, but DV and OV) to the transparency logs. The industry is only planning to move towards this direction.

Symantec is one of the key players in the web-based trust ecosystem. The Company makes every effort to minimize the consequences caused by the erroneous issue of SSL certificates.