Symantec promises audit-fest to placate Google trust reduction plans

TLS certificate vendor says it will even audit its previous audits to prevent having Google reduce its trust on Symantec certificates.

Symantec has laid out its response to Google's proposal last month to reduce the trust in Symantec certificates until a point is reached where Chrome will only trust certificates issued for 279 days or less from the security giant and its subsidiaries.

The core of the response is Symantec arguing more audits of its activities will result in greater transparency.

The security giant has proposed an audit of all active Extended Validation certificates issued; an auditor to examine certificates issued by former Symantec registration authority (RA) partners, as well as an external audit to look at the remediation work to be completed before September; a six month period-in-time WebTrust audit between December 1 and May 31, followed by quarterly WebTrust audits until a year passes with no action needed; and a third party to conduct a process and systems risk assessment of Symantec's certificate operations.

The company said it is backing the move to shorter certificate lifetimes, and from August 31 would begin to "broadly offer" three month certificates. A domain revalidation of all issued certificates with a lifetime longer than nine months would happen at no cost at the nine-month mark, the company said.

Symantec said the proposal by Google could result in "complex dependencies" such as: Embedded devices needing to be reimaged, mobile apps having to be updated, and organisations with applications using pinned Symantec certificates failing.

"Many of these organisations estimate that just the planning process to prepare to move to a new certificate authority could take many months and in some cases years because of unknown and undocumented dependencies," Symantec said.

"Few large enterprises that we've received feedback from have implemented the level of certificate lifecycle automation required to enable safe and cost-effective adoption of shorter validity certificates."

In a statement, executive vice president and general manager of Symantec Website Security, Roxane Divol, said the company's proposal was balanced.

"As we work to implement these measures, we remain committed to ensuring business continuity for our CA customers and complying with the requirements of the browser community, so that we can reach a solution that is in the best interests of all stakeholders," she said.

Last week, Symantec also responded to the list of issues Mozilla had with its behaviour, with the open source browser maker striking down three issues as a result.

According to Mozilla policy engineer Gervase Markham, Symantec now faces six major, two intermediate, and four minor issues.

In Google's original proposal, Chrome would begin reducing its trust of Symantec in Chrome 59, but has now been pushed back until Chrome 60.

"To stress, this delay is not based on a believed reduction of risk, but due to our desire to ensure these changes are appropriately socialized in the ecosystem and ideally interoperable with other browsers' next steps," Google engineer Ryan Sleevi said earlier this month.