Over the next year Google plans to issue warnings for more and more of the certificates issued under what it considers insecure processes.
SSL certificates issued are valid for a fixed period, unless revoked, and Google's initial plan, announced in March, was to begin by distrusting certificates with a validity of over 33 months in Chrome 59, the current version, ratcheting that down to just 9 months in Chrome 64, due early next year. This would have had the effect of requiring all certificates to be reissued after April 2017 in order to continue working with Chrome.
Last week Google's Chrome team accepted a proposal from Symantec to reissue all certificates by Dec. 1, 2017, linking them to a new root certificate held by an independent Managed Partner Infrastructure. That proposal, however, makes no reference to a pending sale of Symantec's certificate business.
Pressure on certificate authorities to clean up their act is coming from other directions too. Last year the Certificate Authority Security Council issued new requirements for certificate issuers to get their processes up to scratch.
Although the most visible role of the certificates is in securing access to websites, they can also used to identity servers to embedded devices in the internet of things, to secure connections to cloud computing services, and to encrypt traffic from smartphone apps.
Sign up for Computerworld eNewsletters.