Symantec claim: "all SSL/TLS certificates" must be logged from June 1st

[Rob Stradling]

A concerned Comodo reseller forwarded an email (which I've posted to
[1]) that they received from Symantec.

Please note this extremely misleading claim:
"Google is mandating that on June 1, 2016 all SSL/TLS certificates
must be published on the Certificate Transparency (CT) public logs
in order for a website to avoid an "Untrusted" warning on Google
Chrome."

All EV certs issued by all CAs must be logged (and SCTs must be
provided) in order to achieve the EV indicator in Chrome. But aside
from EV, Google have so far (AFAIK) only mandated that Symantec [2] and
CNNIC [3] must publish "all SSL/TLS certificates" they issue to CT.

A senior member of our Support team said:
"We've seen an increase in the number of CT questions of late, and it's
very likely due to this."

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online


[1] https://gist.github.com/robstradling/dc66fd52f686d08a914bc88b2788856b

[2]
https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html

[3]
https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html

[Rob Stradling]

I suspect that this DigiCert blog post is referring to the same
misleading email from Symantec:

https://blog.digicert.com/clearing-confusion-certificate-transparency-requirements

Please note DigiCert's misleading claim:
"Google now requires certain CAs to log all their SSL Certificates in
Google- and DigiCert-operated CT logs".

DigiCert's log is accepted by Chrome, but AFAIK Google do not mandate
that any CA MUST submit certificates to DigiCert's log.

[Ryan Sleevi]

Rob,

Thanks for bringing this to our attention. I've CC'd some additional lists that includes Chrome users that may have received such emails.

To be clear:

Beginning 1 June 2016, only certificates issued by Symantec Corporation from CAs operated by Symantec Corporation must conform with the Chromium CT Policy in order to be trusted. This was a result of the ongoing misissuance, and the failure to detect said misissuance, that we wrote about last October at https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html

The Chromium CT Policy does not mandate the use of a DigiCert-operated Log, and the only requirement to comply with the policy to remain trusted is, as you noted, for CNNIC and Symantec, as previously announced on the links you noted.

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/2c5b0679-0c6a-912c-14ff-df0586a9df68%40comodo.com.

[Peter Bowen]

On Wed, May 25, 2016 at 7:10 AM, Rob Stradling <rob.st...@comodo.com> wrote:
> A concerned Comodo reseller forwarded an email (which I've posted to [1])
> that they received from Symantec.
>
> Please note this extremely misleading claim:
> "Google is mandating that on June 1, 2016 all SSL/TLS certificates
> must be published on the Certificate Transparency (CT) public logs
> in order for a website to avoid an "Untrusted" warning on Google
> Chrome."
>
> All EV certs issued by all CAs must be logged (and SCTs must be provided) in
> order to achieve the EV indicator in Chrome. But aside from EV, Google have
> so far (AFAIK) only mandated that Symantec [2] and CNNIC [3] must publish
> "all SSL/TLS certificates" they issue to CT.

There are a couple of things here that I think are very confusing to users:

1) What does "all" mean? What happens if a CA does not log a
certificate? Can a customer request to not have their certificate
logged by the CA?
2) What is the browser user experience if evidence of logging is not provided?
3) For the named CAs, does that mean the company or the brand? If I
get a RapidSSL certificate does that count as Symantec?
4) What happens if I have an existing certificate from a named CA?
Does it stop working on June 1?

I think it would be very valuable to the whole WebPKI ecosystem and
all the Chromium users if there was Google hosted FAQ to help explain
this.

Thanks,
Peter

[Ryan Sleevi]

Thanks for raising these concerns, and I'll try to address them.

On Wed, May 25, 2016 at 8:32 AM, Peter Bowen <pzb...@gmail.com> wrote:

There are a couple of things here that I think are very confusing to users:

1) What does "all" mean? 

That's a question for Symantec about language they announced (or possibly it was Rob or the reseller's confusion), but it was not in our announcement.

 

What happens if a CA does not log a
certificate?  Can a customer request to not have their certificate
logged by the CA?

From https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html

"After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials"

In this case, a certificate that does not conform to the Certificate Transparency in Chrome Policy (linked to from https://www.chromium.org/Home/chromium-security/certificate-transparency ) and is not CT Qualified will not be trusted by default, and thus may result in interstitials.

We plan to allow Enterprises to configure this behaviour further, via Chrome Enterprise management, hence the language.

2) What is the browser user experience if evidence of logging is not provided?

"may result in interstitials"

 

3) For the named CAs, does that mean the company or the brand?  If I
get a RapidSSL certificate does that count as Symantec?

"issued by Symantec" - RapidSSL is merely a brand name for Symantec, and certificates issued under the RapidSSL brand are issued by Symantec, the organization.

We provided further details for Symantec to share with their customers, who are the only ones affected by this, with respect to Symantec cross-certifying other organizations independent infrastructure. These certificates are not issued by Symantec - they are wholly independent, with their own audit regime and infrastructure - and are exempt from this requirement. However, that's not a nuance site operators necessarily need to know, given how it works.

 

4) What happens if I have an existing certificate from a named CA?
Does it stop working on June 1?

"certificates newly issued"

 

I think it would be very valuable to the whole WebPKI ecosystem and
all the Chromium users if there was Google hosted FAQ to help explain
this.

Well, this isn't a frequently asked question (yet). So far, you're the only person who has asked these questions.

We will certainly be providing more comprehensive guidance for enterprises and affected users, but the announcement itself - https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html - already includes the details for the questions you've asked.

To some extent, these questions are the result of an email stating something different than what we've publicly and privately communicated, so the best clarification I can provide is to reiterate what has been publicly communicated, as that is and has been the consistent message.

[Sanjay Modi]

This communication was sent to Symantec customers and partners for all certificates they issue through Symantec, including those from the Symantec, GeoTrust, Thawte and RapidSSL brands. There is no intention to cause any confusion here. If anyone is misinterpreting that communication from Symantec applies to other CAs, feel free to clarify that it does not.

[Clint Wilson]

Sorry about the poor wording there. We've updated the blog now.