Like all large Certificate Authorities, at Symantec we routinely evaluate whether certain public root certificates should continue to be in use, or repurposed for other non-browser facing applications. When that happens, we make formal requests to the major browsers and OS trust store providers to remove, or at least “un-trust” the root for securing websites.
In the last few years, we’ve been laying the groundwork with customers that root certificate PCA3-G1 was nearing the end of its life. In November, we followed up with several browsers still using it to let them know that it’s now time to remove or “un-trust” our PCA3-G1 root. We take care to ensure that the removal or “un-trusting” of any root will cause no harm or undue risk to the Internet ecosystem, particularly browser users.
While this root no longer makes sense for major browsers there are a number of enterprise customers who do rely on it. To serve their needs, we will reuse the root certificate in our private TLS offering for enterprise customers who have requested certificates for legacy software and legacy devices that sit behind corporate networks. Our records and public scans show that all customers have migrated away from using this root for any public use, and our testing leads us to believe that its removal poses no risk to browser users.
The recent flurry of conversation within the CA community about untrusting roots has opened our eyes to the need for more dialogue. Moving forward, you can expect to see regular posts from us. Our hope is it will spark open industry debate where we can all share ideas that will benefit anyone with an interest in website security.