7 comments

[ 3.7 ms ] story [ 29.3 ms ] thread
(comment deleted)
From the article:

> As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate.

Why do you say they are "clearly not concerned"?

So.. Symantec has a public root CA, and now they want to use it for "other purposes"? Why abuse an existing root for this instead of generating a new CA? Why are we trusting these guys with any CA at all again?
The public notice the article links to doesn't say anything about "other purposes". Their headline is "Discontinued Use of VeriSign G1 Roots". It does comment about continued use of that cert for code signing, likely due to legacy trust stores.

To me, it sounds like they're trying to consolidate their image under the "Symantec" brand by moving browsers off the old "Verisign" root, but they don't think they can move code signing. However, since code signing is outside the scope of CAB, they're stopping their audits.

Or at least, that's my take.

By the way, a bunch of preloaded OEM binaries on ASUS machines are signed with that very certificate.