A bold move on Google’s part, to take this radical of an action against such a big player in certification without clearing it with anyone else first. Not a good sign for the viability and usefulness of the CA/Browser forum. A lot will depend on how the rest of the industry reacts. We’ll see if this position is firm on Google’s part, or if they’re willing to negotiate with Symantec - I’m guessing no. We’ll see if any of the other big players on the browser side join in with Google - Microsoft, Apple, Mozilla. It already looks a little suspicious that they didn’t all announce together. Seems like Google either didn’t tell them, or they didn’t agree to do something this radical this soon, and if they didn’t tell them, it would likely be because they think they’d have trouble getting them to agree, so better to act first and let the others follow.
Then what, if anything, will the CAs do? I can’t think of much of anything for Symantec to do, besides try to convince the other browser makers not to join in. They may try to convince other CAs to do something, out of fear that Google is powerful enough to do this. Perhaps they might all abandon the CA/Browser forum at once? Refuse to change practices at all, and let the browsers be seen as broken?
There’s essentially a war between the browsers/security researchers, and the CAs and companies that actually have to deploy and manage this stuff. I can see both sides have their points, but I do think that the CAs and Companies seem to be dragging their feet excessively at the expense of their users' and customers' security. I’m going to hope that the Browsers win this one, but that it’s messy and expensive enough for them that it doesn’t go to their heads. Google already has a bit too much customer indifference, thinking they can shut down or cancel things on a whim and whoever is negatively affected will just have to deal with it, or at least that’s the perception within the tech community. I don’t want them to come out of this saying “Wow, that was easy and worked great! We ought to push the CAs harder on deprecating old things.”
“Therefore, we propose to remove [EV] indicators, effective immediately,”
Dutch bank https://www.ing.nl using a Symantec cert allready lost the EV mark in google chrome while chromium/firefox display the EV mark.
Seems they switched to a new CA already today (Entrust).
Interested to get lobsters' take on this …
Good riddance. Symantec has been a bad actor in the CA market for almost a decade now.
Shadenfreunde at best. It’s great Google is putting “security” vendors at place, shame it has be Google, not some more ethical company.
Less nervous about the CA system now. Because they’d bought so many popular brand names like Verisign and Thawte, we’re in a situation where Semantec are effectively “too big to fail” in the CA market. Gradually cutting them off like this will eventually alleviate that situation.