Google to punish Symantec for issuing bogus certs

Google is tightening the thumbscrews on Symantec for its repeated misissuance of digital certificates via a range of proposed penalty measures.

Under the measure, the validity period for newly-issued Symantec certificates trusted by Google's Chrome web browser will be reduced to nine months or less.

Exisiting Symantec-issued certificates will be distrusted by Chrome completely, requiring them to be reissued and revalidated. Depending on the version of Chrome, this could take between nine to 33 months, Google software engineer Ryan Sleevi said.

Sleevi also proposed that the extended validation (EV) status of Symantec certificates be removed immediately.

"Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the baseline requirements or extended validation guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “extended validation” status," Sleevi wrote.

"As documented with both the current and past misissuance, Symantec failed to ensure that the organisational attributes, displayed within the address bar for such certificates, meet the level of quality and validation required for such display."

This practice by Symantec could threaten the integrity of the transport layer security (TLS) system used to authenticate and secure connections and data over the internet.

Sleevi noted that Symantec-issued certificates accounted for more than 30 percent of all digital credentials in 2015. 

However, Symantec has slammed Google's proposals as "irresponsible" and said it had only learnt of the proposed measures via a blog post.

It said no action is needed from its SSL/TLS customers and partners at this time.