justinkendra - Fotolia

Industry reacts to Symantec certificate authority trust remediation

As the Symantec certificate authority scrambles to transition its certificate-issuance operations to a subordinate certificate authority, the CA industry sharpens its knives.

While key details are still missing about the future of Symantec certificate authority operations, the industry is watching the situation closely.

After Reuters reported that Symantec was shopping its CA operations around to potential buyers, with a possible price tag of over $1 billion for an operation said to generate around $400 million in annual revenue, the CA giant released some details of its plans for an orderly transfer of certificate issuance to a subordinate certificate authority. Symantec has been in hot water with the browser community since 2015, when it was caught improperly issuing extended validation certificates for Google domains. Since then, numerous other issues with Symantec certificate authority practices have been raised.

Whether or not a sale is in the works, the transition mandated by the browser community appears to be underway. Symantec certificate authority officials announced it intends to choose its new partner to act as a subordinate certificate authority within the next two weeks. And tension over the outcome still depends on whether or not Google is willing to extend beyond Aug. 8, its deadline for the transition to get started.

Meanwhile, the certificate authority industry is watching closely, especially since the transition could provide the opportunity to benefit at Symantec's expense.

Doug Beattie, vice president of product management, GlobalSignDoug Beattie

"All the other CAs are eagerly reaching out to Symantec customers that might be impacted, including RapidSSL and Thawte and GeoTrust brands, and making sure that they have provisions in place to buy certificates from another supplier in the event Symantec doesn't comply with the rules in time," Doug Beattie, vice president of product management for SSL products at certificate authority GlobalSign, based in Portsmouth, N.H., told SearchSecurity. "We'd like to put these customers at ease and make sure they have reliable providers of certificates."

"It's an unfortunate disruption for the industry and many enterprises, and I hope that things can be done with minimum disruption," Melih Abdulhayoğlu, CEO of certificate authority Comodo, based in Clifton, N.J., told SearchSecurity. But, at the same time, it's an opportunity. "We've hired some of their key employees, and we've picked up key customers and channel partners. We've achieved more than 40% market share for two years now. I have to say we've earned our growth with more investment, better technology and better service."

Could Symantec avoid revamping its PKI?

It's not entirely clear what the implications of a Symantec certificate authority sale would be. "If another CA was to acquire it, they would use their own infrastructure; hence, the limitations levied up against Symantec might not apply," Melih said. However, certificates issued by Symantec prior to June 1, 2016, will in any case no longer be trusted after the distrust date.

And trust is key, Ray Wizbowski, chief marketing officer for certificate authority Entrust Datacard, based in Shakopee, Minn., told SearchSecurity. "For a sale of any SSL business, it is about establishing trust. An acquiring party will need to pass a web-trust audit in order for roots to remain or to be reinstated in the root store. This is not a trivial process and is something we are familiar with having acquired AffirmTrust for our SSL portfolio in 2016."

"Our view is to help any Symantec customers and partners, retail or enterprise customers, that might be running into a problem sometime in August," Beattie said, noting that Symantec customers should already be aware of the need for action. "We're looking to avoid some sort of disaster on the internet in August or September when the Chrome update rolls out and forces the Aug. 8, issuance cutoff date."

The looming deadline

The big takeaway from this is: Exceed what you think the requirements are, and don't leave any room for interpretation.
Doug Beattievice president of product management, GlobalSign

Symantec this week asked that the distrust date be set to May 1, 2018. However, Steve Medin, public key infrastructure policy manager at Symantec, wrote a post to the Mozilla security developers forum requesting the date be moved even later. "We urge the community to consider moving the proposed May 1, 2018 distrust date out even further to February 1, 2019 in order to minimize the risk of end user disruption by ensuring that website operators have a reasonable timeframe to plan and deploy replacement certificates."

Software engineer Eric Mill, responding to Medin's forum post, took issue with Symantec's request to push the distrust date out any further. "That's pretty close to saying that nothing should happen, since almost all the certificates will have expired by then," Mill wrote. "That certainly is the least disruptive, but it seems contrary to the intent of the proposal."

Regardless of what deadlines are eventually agreed upon, the scrutiny and proposed sanctions against Symantec have served as a wake-up call for the web certificate industry.

"This particular penalty by Google is severe. I think we can all agree on that," Beattie said. "GlobalSign -- and I'm sure all the other CAs -- were really just looking at, with a very critical eye, their current operations and policies. We've tightened up a few things. Certainly, we're always improving our security, but this raises awareness about following the Baseline Requirements and complying with the root policies and making sure that you just don't barely meet them -- you exceed them. And there's no question about how you're doing your domain validation or your organizational validation or meeting the network security requirements in your network and two-factor authentication.

"The hardcore policy managers are making sure that everybody is overachieving on their verification and authentication checklists and audit checklists and so on," Beattie said. "The big takeaway from this is: Exceed what you think the requirements are, and don't leave any room for interpretation."

Next Steps

Read about how new versions of TLS will help certificate authorities

Learn what happened to CA WoSign when it broke the browser rules

Understand certificate authority risks and how best to manage them

Dig Deeper on Identity and access management