[aklug] Chrome deprecation of certs issued by Symantec-owned CAs

Royce Williams royce at tycho.org
Wed Mar 29 11:57:30 AKDT 2017


Urgency: not immediate - but it could impact some sites as soon as June,
and could take some lead time to get ready, so analyze soon. And if you
depend on visible signs of Extended Validation, that will be impacted
almost immediately.

Impact: Chrome will start distrusting Symantec certs (as well as Thawte,
Verisign, and other CA properties owned by Symantec) on a graduated
timeline, depending on age and duration of cert. They will also stop
showing visible signs of Extended Validation (EV) certs immediately.

Google announcement and discussion:


https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ

Good summary of the practical upshot, with timelines:

    https://github.com/sleevi/explainer/blob/master/README.md

Alternate checking tool:

    https://www.renditioninfosec.com/socapps/sslcheck/index.php

I also have a feature request in with Qualys to add this to the SSL Labs
Server Test

    https://github.com/ssllabs/ssllabs-scan/issues/477

Royce
-- 
Royce Williams <http://www.techsolvency.com/roycewilliams/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20170329/6a27a550/attachment.html>


More information about the aklug mailing list