I've always thought it was a bad idea to kick a rattlesnake unless you want to get bitten. Apparently, Symantec kicked one. Google is out to punish Symantec for improperly issuing 30,000 Extended Validation (EV) certificates over the past few years. EV certificates are the highest level of trust and authentication. The issuing authority must validate the requesting entity's legal existence and identity. They are typically used for e-commerce sites, where credit card information and other personal information is transmitted over the Internet. Google has proposed the following punishments for Symantec:
- EV certificates issued by Symantec till today will be downgraded to less-secure domain-validated certs, which means the Chrome browser will immediately stop displaying the name of the validated domain name holder in the address bar for a period of at least a year.
- To limit the risk of any further misissuance, all newly-issued certificates must have validity periods of no greater than nine months (effective from Chrome 61 release) to be trusted in Google Chrome.
- Google proposes an incremental distrust, by gradually reducing the "maximum age" of Symantec certificates over the course of several Chrome releases, requiring them to be reissued and revalidated.
Not a good thing to tick off a major player like Google. It's even worse to screw up and not properly validate requesters of EV certificates.
E-mail: firstname.lastname@example.org Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology