Risk & Repeat: Symantec, Mozilla spar over certificate issuance
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Mozilla's suggested deadline for Symantec to turn over its certificate issuance operations.
Symantec may have to turn over its certificate issuance operations to a third party, but how and when that happens are still up in the air.
Following a probe into Symantec's extensive certificate authority (CA) issues, the antivirus vendor was presented with a remediation plan backed by several web browser companies, including Google, Mozilla and Opera. A crucial part of the plan requires Symantec to either build a completely new public key infrastructure (PKI) for its certificates or to temporarily turn over its certificate issuance operations to one or more third-party CAs.
Mozilla suggested an Aug. 8 deadline for Symantec to turn over certificate issuance operations or to move to a new PKI. However, Symantec pushed back against that plan, claiming the timeline isn't feasible. The two sides have yet to agree on exactly when and how this dispute will be resolved.
In addition, rival CA, Comodo Group Inc., announced it hired several "certificate industry veterans and leaders" from Symantec in recent months to strengthen its business development and channel efforts.
"We believe Symantec's governance and compliance problems over the past two years, which came to a head recently, made it difficult for the channel to do business with Symantec," Comodo CA President Michael Fowler told SearchSecurity.
Will Symantec's Aug. 8 deadline be pushed back? Or will Mozilla and the web browser community hold firm? Is Comodo angling to be the third-party CA that takes over Symantec's certificate issuance operations? In this episode of the Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more on the topic of Symantec's certificate woes and the future of its CA business.
Risk & Repeat: James Comey warns of more Russian hacking
Risk & Repeat: Shadow Brokers launch subscription service for zero-day exploits
Risk & Repeat: GDPR compliance looming over enterprises