On Thu, May 4, 2017 at 11:30 PM, Steve Medin via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Gerv, thank you for your draft proposal under consideration. We have posted
> our comments and detailed information at:
> https://www.symantec.com/connect/blogs/symantec-ca-
> continues-public-dialogue

(Posting in my personal capacity.)

Symantec says that Google's and Mozilla's proposals to impose a shorter
certificate lifetime will harm their CA business and cause customers to
move to other CAs.

The last time that Symantec was targeted for selective technical
enforcement was when Google imposed a CT requirement on Symantec-issued
certificates. Symantec had already set up a CT log and advocated for an
ecosystem-wide CT requirement before then, and responded to Google's
requirement by continuing this advocacy.

But in this case, Symantec is rejecting the premise and stating that to
impose a 13-month limit industry-wide would require automation and not be
feasible for enterprises, and lead to increased operating costs:

We also do not believe that a 13-month validity limit should be imposed on
the CA industry *at this time* – a conclusion that is reinforced by the
recent CA/Browser Forum vote rejecting ballot 185, which proposed to limit
the maximum validity of SSL/TLS certificates issued by all CAs to 13
months. As we have stated in our public response, many enterprises are not
at the level of automation maturity necessary to practically and
cost-effectively adopt shorter validity certificates. For these
organizations, standardizing on shorter validity certificates would present
substantial increases in their operating costs.

I believe that Symantec's assessment of this issue, expressed in this post
and in their public voting statement on Ballot 185 [1], is seriously

While it's certainly true that enterprises would experience some pain and
cost, Symantec states that 13-month certificates would either require
automation to use, or would create such a workload increase that IT shops
would have to hire staff. This is unpersuasive, as Mozilla and Google and
others (myself included) have tried to communicate throughout the various
discussions on this issue since January.

Everyone has recognized that a decrease to 90-day certificates would likely
create such a situation. However, as someone who has worked in very large
enterprises myself, I do not believe that moving to an annual renewal
schedule is infeasible for the enterprise community to handle.

Yes, it will cost them something, but the organizations that feel the pain
most acutely will logically be the largest ones -- and the largest
enterprises will also have the resources to respond appropriately.

As importantly, Symantec should be embracing changes that move enterprise
customers along the path towards automation. My experience is that the lack
of progress on automation is one of the most toxic and self-destructive
features of the enterprise IT sector. At scale, a reliance on error-prone
and unscalable human processes for basic infrastructure maintenance is a
massive contributor to defense being so much more expensive than offense

Symantec's current proposal and blog post indicate that they are working to
create automation-friendly options for customers, but that's not nearly
sufficient to motivate the industry to change their behavior.

I believe that if Symantec changes their attitude and puts their full
weight behind shorter-lived certificates, it would indicate:

* A recognition that technical controls are superior to policy controls,
especially when a CA is of such a significant size that reliable policy
control enforcement becomes expensive.
* An understanding that Symantec's enterprise customers will always push
back on changes that create more work for them, but that Symantec's goal of
being an industry leader requires Symantec to lead their customers rather
than to follow their instructions.
* A belief that automation by default, on the part of both CAs and their
customers, is a collective action problem that is worth challenging the
industry to solve.

Those are the kinds of indicators that Mozilla and Google tend to weight
favorably in assessing the likelihood of future risk to users from a CA's
practices. So, I suggest that Mozilla and Google consider offering to drop
the portions of their proposals that limit Symantec's certificate lifetime,
if Symantec commits to supporting an industry-wide reduction in certificate
lifetimes to 13 months.

A commitment like this could take several forms, but to me it might look

* Symantec publicly and privately asking the browser programs to impose an
industry-wide reduction by a reasonable date, whether or not a majority of
browsers support it, and whether or not 2/3 of CAs support it.
* Symantec proposing a ballot to impose this through the CA/Browser Forum's
Baseline requirements.
* Symantec immediately beginning to communicate to their customers the
positive security benefits of moving to 13-month-or-less certificates, and
Symantec's clear expectation (and support for) this to happen industry-wide
in the near future.

This would remove the aspect of the proposal most likely to create
competitive impacts to Symantec's business, and significantly easing the
path towards reducing certificate lifetimes.

Even though Symantec isn't handling this crisis of confidence well, I
believe the intent of Symantec's employees is good -- that they are there
to do more than just make money, and want to make the world a more stable
and secure place. However, the identified issues and Symantec's responses
suggest that their business incentives are not well-aligned with this goal.

Given Symantec's resources and reputation, I believe Symantec reconsidering
their stance on short-lived certificates would be a meaningful way for
Symantec to address that misalignment, and I suggest that browsers open
this path for them to take.

-- Eric

[1] https://cabforum.org/pipermail/public/2017-February/009701.html
dev-security-policy mailing list

Reply via email to