Our primary objective has always been to minimize any potential business disruption for our customers and for browser users while also reassuring trust in Symantec certificates and our issuance practices. While we believe we achieved that balance with our original proposal to the community, the browser community (specifically, Google, Mozilla and Opera) has since converged upon a new proposal.
Google shared this new proposal for Symantec’s CA with the community on May 15. We have since been reviewing this proposal and weighing its merits against feedback we’ve heard from the broader community, including our CA customers. As part of our review, we’ve conducted a preliminary analysis of the engineering, contract and business development requirements needed to implement the subCA portion of the proposal outlined by Google. Additionally, we have had initial conversations with candidate partners (or “SubCAs”) to understand the potential timeline and integration constraints that would need to be factored into a successful adoption of a subCA approach. While we are waiting to receive detailed responses to a Request For Proposals (RFP) from these potential SubCAs, we wanted to share our initial feedback to Google’s current proposal.
First, we acknowledge the mis-issuances we’ve experienced in our CA business and we take these incidents very seriously. We believe these incidents are the exception and not the rule for our CA operations. Our CA business is led and staffed by experienced individuals around the world who serve our customers while ensuring our issuance practices comply with industry and browser requirements.
That said, we understand that any failure of our SSL/TLS certificates to be recognized by popular browsers could disrupt the business of our customers. In that light, we appreciate that Google's current proposal does not immediately pose compatibility or interoperability challenges for the vast majority of users. Indeed, while there are significant backend changes required under Google’s latest subCA proposal, we believe it is designed to minimize impact to our CA customers and browser users. Notably, Google’s current proposal preserves the treatment of Symantec EV certificates and provides a pathway for us to continue supporting our customers with industry standard certificate validity periods. Furthermore, the current proposal allows our customers, for the most part, to have an uninterrupted and unencumbered experience.
However, there are some aspects of the current proposal that we believe need to be changed before we can reasonably and responsibly implement a plan that involves entrusting parts of our CA operations to a third party.
As the largest issuer of EV and OV certificates in the industry according to Netcraft, Symantec handles significantly larger volumes of validation workloads across more geographies than most other CA’s. To our knowledge, no other single CA operates at the scale nor offers the broad set of capabilities that Symantec offers today. In addition to the vetting required to identify suitable CA partners, we believe there may be a significant ramp up period required for any CA to augment the resources needed to accommodate our certificate issuance volumes in a robust, reliable, secure, and fully compliant way. Before a technical integration and transition can begin, Symantec would need to evaluate the capabilities of interested and qualified CAs. We would also need time to put in place the governance, business and legal structures necessary to ensure the appropriate accountability and oversight for the subCA proposal to be successful.
Once we enter into a partnership with one or multiple SubCAs, Symantec and the SubCA(s) will need to perform engineering work to support the subCA model. These implementations would then need to be tested extensively.
Given the time needed to overcome these challenges, we have proposed modifications that we ask Google, Mozilla, other browsers, relying parties and the community to consider as we work to reach a final plan. Our goal is to move to an agreed-upon action plan that we can begin to implement in a reasonable timeframe that ensures a smooth transition. Detailed in-line responses to various parts of the proposal, along with clarifying questions, are provided below.
Overview / Background
Here's an update on the discussions about Symantec-issued certificates and the steps Chrome is proposing to move forward. Thank you to everybody who has contributed to the discussion so far.
On May 12, members of the Chrome team met with Symantec to discuss the set of concerns and our proposed remedy for them. These discussions were an expansion on a proposal previously shared with Symantec in April, and later shared on the mozilla.dev.security.policy list.
When the original Intent to Deprecate was posted, I proposed a plan that tried to best address issues we were aware of and provide a long-term path for comprehensive protections. We received a lot of great feedback from the Blink and wider PKI communities regarding the impact this plan would have and further issues to consider. In light of this feedback, we would like to propose a new plan that we believe ensures users are sufficiently secured while trying to minimize disruption to site operators, and providing an objective and reasonable path forward for those that have critical dependencies on certificates that chain to Symantec-operated roots.
We want to share an overview of this plan with the broader community, with more specific, detailed requirements at the end. The high-level overview of the plan is:
- Symantec will modernize their platform and PKI dedicated to website certificate issuance. Symantec has previously posted that this in their current roadmap, and we require that the modernized platform adheres to best practices for CAs in security, design, and process as part of that modernization process.
- Until the modernized platform is ready and accepted into major trust stores, certificates would need to be issued through one or more independently operated third-party CAs (aka “Managed CAs”) that Symantec would partner with.
Symantec In-Line Response: While adhering to best practices for a modernized platform is self-evident, what process do Chrome and the community foresee as appropriate to establish this trust?
- The Managed CAs could be cross signed by an agreed upon set of existing Symantec roots, to take advantage of the existing roots' ubiquity in trust stores.
- EV certificates can be issued by Managed CAs, provided that they meet the validation requirements.
- Validity period of new certificates can be up to 39 months, or to the maximum allowed by Chrome for all CAs (currently specified in the Baseline Requirements and EV Guidelines), provided that a Managed CA fully revalidates the information. During a bridge period, Managed CAs can reuse existing validation information but lifetimes must be limited to 13 months.
- Existing certificates issued on or after June 1st 2016 would still be trusted, provided they comply with the Chrome CT policy. EV certificates issued on or after this date will continue to be granted EV treatment.
- Existing certificates issued before June 1st 2016 would go through a phased distrust based on notBefore dates.
Symantec In-Line Response: This part of the proposal introduces a substantial additional authentication effort for SubCAs on top of an already challenging requirement to scale their processing capacity. Symantec has been logging all EV certificates to CT since Jan 1, 2015 and a large proportion of other certificates since prior to June 1, 2016. This distrust would affect over 425,000 certificates, of which ~130,000 have been logged to CT. Given that CT logging appears to be foundational, we would like to propose that ongoing trust be extended to any Symantec CT qualified certificate issued after Jan 1, 2015 as it currently is today in Chrome.
- Chrome will offer an Enterprise Policy to allow older certificates to be trusted to help with migration to the new PKI.
While the plan is not final, we believe it is converging on one that strikes a good balance of addressing security risk and mitigating interruption. We still welcome any feedback about it, as prior feedback has been valuable in helping shape this plan.
Transition to a New Symantec PKI
Chrome will require that by 2017-08-08 all new Symantec-chaining certificates be issued by independently operated third-parties (aka “Managed CAs”).
Chrome will implement a check, on-or-after 2017-08-08, to enforce this by ensuring that the certificate chain contain a whitelist of intermediates (independently operated sub-CAs or the Managed CAs).
Symantec In-Line Response: See date comments below.
If a Managed CA has fully revalidated the information, the validity period of new certificates can be up to the maximum allowed by Chrome for all CAs, which is currently specified as the maximum allowed by the Baseline Requirements and EV SSL Guidelines.
During a transition period, validation information can be reused, provided that the certificate is issued by the new infrastructure. However, the validity period of such certs must be no longer than 13 months.
If Symantec needs this flexibility, the following deadlines apply:
- 2017-08-08 - Certificates must be issued by the Managed CA, but can re-use existing validation information (up to the limits imposed by the Baseline Requirements).
- 2017-11-01 - Certificates must be issued and have domains revalidated by the Managed CA, but can use re-use existing organization validation information (up to the limits imposed by the Baseline Requirements).
- 2018-02-01 - Certificates must be issued and have all validation performed by the Managed CA.
Symantec In-Line Response: Based on our initial research, we believe the timing laid out above is not achievable given the magnitude of the transition that would need to occur as we discussed at the beginning of this post and we propose that Google not conclude on final distrust dates for Symantec certificates at this time. We have conducted outreach to candidate partners (SubCAs) to understand the potential constraints, timelines and the integration work that might be needed. We have also formalized and issued a RFP with specific questions around timing, logistics and dependencies. We expect to have the required feedback to inform a project plan by the end of June, at which time we will come back to Google and the community regarding suggested dates that are both aggressive and achievable. In the meantime, we wanted to share some of some of the practical and constraining reasons that we believe the dates will need to be adjusted:
- In order to ensure that the expected bar is set in terms of issuance, validation and availability, we are in the midst of a rigorous RFP process which will include detailed diligence for potential SubCAs in terms of controls and compliance performance.
- Post-RFP, partnering requires Symantec to work with competitors and establish business relationships that are acceptable to all parties.
- Symantec is currently the single largest issuer of OV and EV certificates, as reported by Netcraft. Potential partners (our existing competitors) may not have built out their infrastructure to handle the capacity increase they would experience with serving Symantec’s existing demand. The buildout of infrastructure and authentication capabilities will require ramp-up time. Based on conversations held so far, this ramp up time may be greater than 4 months. Additionally, Symantec serves certain international markets that require language expertise in order to perform validation tasks. Any acceptable partner would also need to service these markets. Executing on a subCA plan would therefore require us to go down one of two paths:
- Establish several relationships with multiple CAs which would require multiple contract negotiations and multiple technical integrations.
- Partner with a single SubCA, which would require such CA to build up the compliant and reliable capacity necessary to take over our CA operations in terms of staff and infrastructure.
- SubCA partners would need to potentially revalidate over 200,000 organizations in full, in order to maintain full certificate validity for OV and EV certificates – this would increase the immediate capacity required for these partners and put the timing proposed by Google at risk. As an example, full review of our Latin American partners, and full revalidation of CrossCert’s active certificate issuances has been time intensive. Applying significant resources and performing the checking and revalidation for the approximately 30,000 certificates (with far fewer organizations) issued by our former SSL/TLS RA partners has taken over 4 months. The practical revalidation effort for under this proposal should not be underestimated.
- We anticipate that designing, developing, and testing new auth/verif/issuance logic, in addition to creating an orchestration layer to interface with multiple subCAs will take an estimated 14 calendar weeks. This does not include the engineering efforts required by the subCAs, systems integration and testing with each subCA, or testing end-to-end with API integrated customers and partners, although some of this effort can occur in parallel.
The use of existing or new validation information in a certificate should be signalled by using new OID in the Certificate Policies extension. See the Technical Details section for more information. If the managed CA is unable to validate the information by such milestones, then such certificates will not be able to be issued or trusted.
Chrome will continue to trust certificates issued after 2016-06-01, provided they are “CT Qualified” as defined in the Chrome CT Policy.
Enterprise Chrome users will be given a policy to allow certificates issued before 2016-06-01. This will give enterprise administrators the ability to control Chrome behavior for their organizations. This can be specified both at device-level as well as at user-level.
We’re proposing a phased distrust of all website certificates issued prior to 2016-06-01, which is the date in which Chrome both required and enforced Certificate Transparency. This provides a degree of assurance for site operators that certificates issued for the improper domain have a reasonable chance of being detected. With this, our goal is to attempt to minimize disruption to site operators, ensure reasonable notice of these changes, and avoid particularly sensitive holiday disruptions. These plans represent target dates, which may need to be adjusted based on interoperability or compatibility risk or additional information coming to light that may accelerate such distrust.
- On 2017-08-31, no longer trust any certificate whose notBefore was prior to 2015-06-01. This corresponds with an expected Chrome 62 date.
- On 2018-01-18, no longer trust any certificate whose notBefore was prior to 2016-06-01. This corresponds with an expected Chrome 65 date.
Symantec In-Line Response: As previously mentioned, Symantec has been logging EV certificates to CT since Jan 1, 2015; and a proportion of other certificates since before June 1, 2016. Given that CT logging appears to be foundational, we propose that ongoing trust be extended to any Symantec CT Qualified certificate issued after Jan 1, 2015. Doing so would reduce the incremental re-authentication effort from over 425K certificates to ~295K – a meaningful reduction in the re-authentication effort necessary under this part of the proposal.
In terms of specific feedback on certificate distrust dates and the associated distrust waterfall, we must consider the information that will be returned to us as part of our current RFP process before we revert to the community with suggested dates that would not cause undue disruption to our CA customers and browser users. In the meantime, we propose that Google not conclude on final distrust dates for Symantec certificates at this time.
- These sub-CAs must be operated by a non-affiliated organization that operates roots currently trusted in the Android and Chrome OS trust stores that have been trusted for a period of at least two years.
- The non-affiliated organization must accept full responsibility for the operation of these sub-CAs and agree that any misissuance from these sub-CAs will be treated as if it was misissuance from any of the other CAs the organization operates. Similarly, any misissuance from the other CAs the organization operates will be treated as if it was misissuance from these sub-CAs. Because the basis for trust in these intermediates will be based on chaining to the existing Symantec root certificates, rather than to a different organization’s CA certificates, Symantec must also accept responsibility for the operation of these sub-CAs and agree that any misissuance from these sub-CAs will be treated as if it was misissuance from any of the other CAs that Symantec operates.
Symantec In-Line Response: We would treat SubCAs as Delegated Third Parties and as such subject to audit under section 8 of the Baseline Requirements. However, given the possibility that multiple SubCAs may be required to accommodate the scope of our operations, it’s important to clarify that the actions of one SubCA should not automatically reflect on the operations of a separate SubCA. Can you further explain your rationale and intent on this point?
- Symantec and its affiliates must not participate in any of the information verification roles permitted under the Baseline Requirements, such as Delegated Third Parties, including that of Enterprise RAs, or as Validation Specialists. That is, the non-affiliated organization bears full responsibility to perform all information verification controls related to the issuance of the certificates. Symantec and its affiliates may, however, seek to collect and aggregate all of the information as part of the Certificate Request process in order to expedite and simplify the verification process.
Symantec In-Line Response: In Symantec’s current authentication model, there is a two-step process, where validation of an order is done by one person and then that work is reviewed independently by another prior to issuance. To expedite the timing of our implementation of this proposal and to offset the ramp time needed for SubCAs to increase their authentication capacity, we suggest that Google’s proposal be modified to allow Symantec to conduct the first step of the validation, subject to 100% review of 100% of the orders by the SubCA, and issuance determination made by the subCAs.
- These sub-CAs must not be used to certify any Symantec-operated or -controlled CAs, but may themselves be certified by existing Symantec-operated or -controlled CAs. That is, they can be cross-signed by the existing infrastructure, but they must not cross-sign any of the existing infrastructure or certificates.
- No Delegated Third Parties shall be used to perform the information verification functions of domain verification (Section 22.214.171.124 of the Baseline Requirements) or IP address verification (Section 126.96.36.199 of the Baseline Requirements)
- The Certificate Policy and Certification Practice Statements (CP/CPS) for the sub-CAs may use Symantec’s domains for purposes of CAA verification, as they are operating on behalf of Symantec.
Symantec In-Line Response: Where SubCAs use Delegated Third Parties in their existing CA operations, we propose that such SubCAs be permitted to continue to use such Delegated Third Parties with respect to performance of its responsibilities for the benefit of Symantec under this proposal. Restricting use of Delegated Third Parties by SubCAs under this proposal may limit the interest of SubCAs to partner with Symantec under this proposal and/or increase their cost to partner with Symantec under this proposal.
- Within 90 days of the first certificate being issued by any of these sub-CAs, the operating organization shall provide a Period of Time audit report according to the “Trust Service Principles and Criteria for Certification Authorities” and the “WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security.” If Symantec desires for these sub-CAs to be recognized as capable of issuing EV certificates, Symantec shall also provide a “WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL.” All audits shall use the current version of the criteria appropriate for the audit engagement date. The period of time must include the moment of the Key Generation Ceremony, must not exceed 120 days in duration, and must not be less than 30 days in duration. Note that 90 days represents when the report shall be provided, not the end of the period of time.
Symantec In-Line Response: We agree with the subsequent discussion on audit timing:
T0: Key Generation Ceremony
T+30-60: First server auth certificate issued
T+90-120: End of period (not less than 60 days after the prior T+timepoint)
T+180-210: Opinion published (not more than 90 days after end of period)
- The audit report scope must include all Principles and Criteria and include all locations in which the key material exists. If a Principle or Criteria is excluded from the scope due to the non-performance of that function, the audit report and management’s assertion letter must attest that no organizations, including the operating organization, performed that role or function for the Period of Time under audit.
- An unbroken sequence of such audit reports shall be posted publicly and provided to Google no more than 90 days after the conclusion of the audit period. For the first year following the issuance of the first certificate, the audit period shall not exceed 90 days. For the second year, the audit period shall not exceed 6 months. For third and subsequent years, the audit period shall not exceed 12 months.
Symantec In-Line Response: Given that Symantec would partner with SubCAs that are established CAs, we do not believe these SubCAs should be burdened with audit requirements that exceed their requirements today. We believe it should not be necessary to force these SubCAs to provide audits with greater frequency than what they are currently required to do outside of the initial one outlined in the first audit bullet, which can be used to confirm that the transition was successful.
- Any and all subordinate CAs certified by these sub-CAs must be covered by the same CP/CPS, management’s assertion, and audit reports as the sub-CA itself. That is, any sub-CAs beneath these sub-CAs must be part of the same infrastructure and operation of the non-affiliated organization.
- In order to be trusted, issued certificates must be “CT Qualified”, as defined in the Certificate Transparency in Chrome Policy.
- Each certificate must clearly identify the degree of information that has been revalidated. To accomplish this, we propose that Symantec make use of three newly-defined OIDs, to be allocated by Symantec, and to be placed within the Certificate Policies extension, with a distinct OID for each of the following scenarios:
- Issued on new infrastructure, but reusing existing information previously validated or obtained by Symantec.
- Certificates bearing this policy OID MUST NOT be valid for longer than 400 days.
- Issued on new infrastructure, with domain information having been validated by the organization operating the Managed CA for Symantec, but containing and reusing organizational information validated previously by Symantec.
- Certificates bearing this policy OID MUST NOT be valid for longer than 400 days.
- As DV certificates do not contain organization information, no DV certificates should bear this policy OID.
- Issued on new infrastructure, with all information contained having been validated by the organization operating the Managed CA for Symantec.
- Certificates bearing this policy OID MUST NOT be valid for longer than the maximum time permitted by Chrome for all CAs at the time of issuance, which is currently defined within the CA/Browser Forum’s Baseline Requirements.
- Issued on new infrastructure, but reusing existing information previously validated or obtained by Symantec.
Transition to New Infrastructure
- Until such a time as Symantec’s new infrastructure has been accepted as trusted for TLS server certificate issuance in the root stores used by the Stable version of Chrome on the most recently released, generally available version of the supported OS platform Chrome is running on, the sub-CAs must continue to be operated according to the requirements outlined here.
- At this time, this includes the root stores of Microsoft (Chrome on Windows), Apple (Chrome on macOS and Chrome on iOS), Mozilla (Chrome on Linux) and Google (Chrome on Android and Chrome on Chrome OS). And would include any future Google root store program used by Google products and services.
- In continued collaboration with CPA Canada and the WebTrust Task Force in determining the feasibility and appropriateness of such reports, as part of the determination for acceptability of the new infrastructure, Symantec may be requested to provide a report on controls at the Certification Authority that includes a description of the auditor’s tests of controls and results, covers a period of time, and includes a description of the system. The intended users of the report must include persons who assist in decisions related to the trusted status of Certification Authorities within Chrome and Google products.
Symantec In-Line Response: Symantec is willing to provide such reports under non-disclosure agreements where they include detailed information of a sensitive nature (similar to sharing SOC2 reports with specific customers).
***** End of Google's Original Post and Symantec In-Line Response*****
We believe that we are on the path to reaching an agreed-upon plan that can be implemented in a reasonable timeframe and ensures minimal disruption for our customers. We will continue to pursue what we believe is the right course of action that allows for a smooth transition and reassures trust in Symantec certificates and our issuance practices. We welcome continued input from Google and the browser community as we work to reach a final agreement that serves the best interests of all stakeholders.