I like to share the experience we suffered from distrust, it is disastrous for 
CA and its customers to replace the certificate that exceed your imagination 
that we are still working for this since October 2016 that nearly six months 

Due to the quantity of Symantec customers is more than WoSign and most 
companies are bigger than WoSign's customers, I am sure that the 
interoperability and compatibility failures could bring big problem to 
Symantec, to Symantec customers and the Browser users.

I think Symantec's proposal is good and will benefit its customers that it will 
not make the world mess.


Best Regards,


-----Original Message-----
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On 
Behalf Of Steve Medin via dev-security-policy
Sent: Thursday, April 27, 2017 8:48 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Symantec Conclusions and Next Steps

Feedback from our Enterprise Customers 

In addition to our review of public commentary on these issues, we have also 
sought input and feedback from Symantec customers on the compatibility and 
interoperability impact of the significant changes that could result from the 
implementation of Google’s proposal. These customers include many of the 
largest financial services, critical infrastructure, retail and healthcare 
organizations in the world, as well as many government agencies. This cohort is 
an important constituency that we believe has been under-represented to date in 
the public commentary that has been posted to the Google and Mozilla boards 
since large organizations rarely authorize employees to engage in such public 
discussions, particularly in an area related to security. We first solicited 
feedback to understand the disruption that a browser-initiated trust change, 
like the one proposed by Google, would cause organizations that opt to replace 
their existing SSL/TLS certificates in order to maintain interoperability with 
all browsers. We learned that these organizations’ publicly facing web 
applications, while extensive, only represent a fraction of their dependency on 
publicly trusted Symantec roots. Many large organizations have complex, and 
potentially undocumented and little-known dependencies on their certificate 
infrastructure. Examples of complex dependencies on Symantec public roots that 
our customers have shared or we have identified include:

- Embedded devices that are pinned to certificates issued by a Symantec public 
root to communicate to resources over the Internet or Intranet. Replacing these 
certificates would result in immediate failures and the need to recode and 
reimage the firmware for these devices.
- Mobile applications that have pinned certificates. Replacing server 
certificates would require these applications to be recoded, recompiled and 
- Critical infrastructure organizations that use certificates issued off of 
Symantec roots to validate internal and external resources. In many cases the 
applications being used are pinned to Symantec certificates.
- Some large organizations use certificates chained to Symantec public roots 
for nearly all internal applications and communications. Many of these 
organizations are under regulatory requirements to encrypt even internal 

Additionally, many of these organizations estimate that just the planning 
process to prepare to move to a new certificate authority could take many 
months and in some cases years because of unknown and undocumented 
dependencies. Moreover, few large enterprises that we’ve received feedback from 
have implemented the level of certificate lifecycle automation required to 
enable safe and cost-effective adoption of shorter validity certificates. We 
believe that it is important for the broader community to understand and give 
more weight to these compatibility and interoperability risks, particularly 
given the fact that many of these organizations are prohibited from commenting 
publicly on these topics. 

To give a perspective of scale, Symantec secures more than 80% of the world’s 
ecommerce transactions through its certificate infrastructure. Additionally, 
Symantec is the world’s largest provider of Organization Validation (OV) and 
Extended Validation (EV) certificates which are primarily used by large 
enterprises. Many of these certificates sit inside corporate and government 
networks and are an important part of the trust fabric of internal 

In short, our assessment based on customer feedback is that the 
interoperability and compatibility failures that could result from a 
large-scale certificate replacement or invalidation event would be significant 
and unpredictable.

dev-security-policy mailing list

Reply via email to