Agreed. Mr. Richard has been upfront with his affiliation. That’s a pleasant switch.
Possibly, possibly not.
If I understand this correctly, the RAs involved had been issuing invalid certificates against 3rd party domains for testing purposes in Symantec’s name as CA. In such cases, the CA can contractually delegate the work to the RAs, but the CA remains responsible for the validity of the issued certificates. For whatever reasons - inadequate logging, inadequate auditing, improper and/or inadequate tools and procedures - these certs came to light after Symantec itself had been caught in the same problem, and had made a commitment to fix the problem. This is a simplification, to be sure, but I think it’s an adequate representation of the factual elements of the situation for people (such as myself) who aren’t involved in this end of the industry. (My own background is servers and operating systems - DEC/Compaq/HP in my case.)
Now, given that the quite reasonable presumption that the practices leading to the problem have been going on for a while at Symantec and its licensees, Google’s numbers are, for an organisation responsible for a browser in significant use, conservative. If they know that invalid certificates have been issued by the RAs in the CA’s name, and they know that the CA has done similar in the past themselves, and that the CA is unable or unwilling to produce hard and fast figures for the RAs, and they (Google) have no real way of ascertaining the extent that this has happened previously, then no certs issued on the CA’s behalf by the licensees can be trusted. Google isn’t claiming that all of these are invalid: it’s claiming that it can’t verify which are and aren’t.
I repeat, when representing Google’s interests in the matter (and not coincidentally, ours, the users’), this is conservative. Limiting the number to what has recently been caught is not reasonable. Given the spanner a complete and immediate withdrawal of trust would throw into the works, Google’s phased withdrawal of trust is a reasonable compromise: it gives sites dependent of Symantec certs time to switch; it gives Symantec time to bloody well fix the problem.
Under the circumstances, I think that Google’s assumptions here aren’t unreasonable. I also think that Symantec’s claim that the numbers aren’t any greater than what has been caught, and that there isn’t a significant problem is an extraordinary claim, and, like all such, requires extraordinary proof.
