The Chrome team said in a statement that its investigation, since 19 January, had resulted in unearthing answers from Symantec that indicated growing mis-issuance of certificates.
An initial set of what were 127 certificates had expanded to cover nearly 30,000 issued over several years, the team said.
Additionally, there was a previous instance of mis-issued certificates, in October 2015. In that case, 23 test certificates had been issued without the domain owner's knowledge, covering five organisations including Google and Opera.
The Chrome team said it was proposing to take the following steps:
- A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimise any impact to Google Chrome users from any further mis-issuances that may arise;
- An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced; and
- Removal of recognition of the Extended Validation status of Symantec-issued certificates, until such a time as the community could be assured of the policies and practices of Symantec, but no sooner than one year.
The statement also accused Symantec of not providing timely public updates about these issues.
"Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned," the statement said.
"The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy."
The Chrome team said it would be gradually reducing the level of trust in all Symantec-issued certificates as per the following timetable:
- Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days);
- Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days);
- Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days);
- Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days);
- Chrome 63 (Dev, Beta): 9 months validity (279 days);
- Chrome 63 (Stable): 15 months validity (465 days); and
- Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days).
While the issue had been communicated to Mozilla, Microsoft and Apple, the Chrome team said: "Assessing the compatibility risk with both Edge and Safari is difficult, because neither Microsoft nor Apple communicate publicly about their changes in trust prior to enacting them."
It said while Mozilla conducted discussions regarding Certificate Authorities in public, it had not started discussing how best to protect users of the Firefox browser.
"Our hope is that this proposal may be seen as one that appropriately balances the security and compatibility risks with the needs of site operators, browsers, and users, and we welcome all feedback," the statement said.