zentilia - Fotolia

Symantec agrees to transfer certificate issuance to third party

Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1.

After months of wrangling with major web browsers, Symantec has tentatively agreed to turn over its certificate-issuance operations to a third-party partner.

Symantec on Tuesday said it will choose its new subordinate certificate authority partner, or partners, in two weeks, as it prepares to turn over its public key infrastructure (PKI) operations to one or more third-party certificate authorities (CAs) by Dec. 1. Full certificate issuance and validation roles for Symantec would be transferred by Feb. 1, 2018. The CA giant also wants to consolidate Chrome's rolling distrust dates for all Symantec certificates issued before June 1, 2016; the company's proposed consolidation date would be May 1, 2018.

The Symantec certificate authority has been facing increasing scrutiny since developers at Google and Mozilla uncovered numerous issues with the vendor's CA policies and practices dating back to 2015.

The subordinate certificate authority proposal is the option offered to Symantec by Google that allows Symantec certificates to continue to be trusted by browsers if Symantec turns over its certificate-issuance operations to one or more trusted third-party CAs.

"Since June 1, Symantec has worked in earnest to operationalize the SubCA [subordinate certificate authority] proposal outlined by Google and Mozilla and discussed in community forums," wrote Steve Medin, PKI policy manager at Symantec, posting the company's report to the Mozilla and Chrome developer security forums. "The core of this proposal is to transfer the authentication and issuance of certificates to a set of new SubCAs that are operated by 'Managed CAs,' with the eventual end state being a move from the existing Symantec PKI to a modernized platform."

Roxane Divol, executive vice president and general manager of Symantec website security, told SearchSecurity, "The dates we have outlined are aggressive and are designed to ensure a smooth transition for our customers, given the enormous scope of the project. By making the necessary adjustments based on input from our own internal planning and after discussions with bidders interested in taking on the SubCA work, we believe we will achieve an orderly rollout that is as close to the original dates as possible."

The report is the first official word from Symantec on the disposition of its certificate authority business since a June 30 meeting with Mozilla developers. It also comes on the heels of last week's report that the company is seeking a buyer, or buyers, for its certificate authority business. If the transition plan is approved by the web browser community, then Symantec certificate issuance and validation will be handled by a subordinate certificate authority. Symantec will retain ownership of its certificate authority under the plan, unless the vendor moves forward with a sale of its web certificate business.

Next Steps

Dig into Mozilla's list of issues discovered in Symantec's CA operations

Read more about how Symantec has responded to concerns over its practices

Listen to Symantec's dilemma on the Risk & Repeat podcast

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing