Symantec slams Google's TLS cert penalty measures

Security vendor and digital certificate issuer Symantec has come out swinging against proposals by Google to penalise it for mis-issuing transport layer security (TLS) credentials.

Symantec's website security vice president and general manager Roxane Divol wrote in a message to the company's certificate authority (CA) customers that Google's proposals weren't in the best interest of the internet community. 

Google's proposed measures would see existing Symantec-issued TLS certificates distrusted over a period of time. This would require them to be revalidated and reissued by Symantec.

Newly-issued Symantec certificates would be valid for no longer than nine months, and credentials with the extended validation (EV) feature would see it removed immediately for at least one year.

Of the measures, Symantec said it supports proposed shorter validity periods for certificates across the entire industry. This would increase customer expense, but Symantec argued this could be offset by automated tools and procedures.

The proposed penalty measures come after Google accused Symantec of mis-issuing over 30,000 certificates and failing to validate such credentials properly.

Divol denied that Symantec's issuance practices were at fault, and accused Google of not telling the truth.

She slammed Google's statements about past certificate mis-issuance as "exaggerated and misleading" and claimed the scope of the mistake was limited.

"Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true," Divol said.

"In the event referred to by Google, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm."

Divol said Symantec has taken "extensive remediation measures to correct this situation" including terminating its certificate mis-issuing partner's registration authority status.

Symantec also dumped its entire registration authority program as a result of the certificate mis-issuance, Divol said.

She said if Google's penalty measures take place, Symantec will reissue customers' certificates to ensure their websites, servers, and other applications continue to work across browsers.

The reissuance would be free of charge for customers.