
Proactive measures in digital certificate security - ctz
https://googleonlinesecurity.blogspot.com/2015/12/proactive-measures-in-digital.html
======
0x0
So.. Symantec has a public root CA, and now they want to use it for "other
purposes"? Why abuse an existing root for this instead of generating a new CA?
Why are we trusting these guys with any CA at all again?

~~~
dlgeek
The public notice the article links to doesn't say anything about "other
purposes". Their headline is "Discontinued Use of VeriSign G1 Roots". It does
comment about continued use of that cert for code signing, likely due to
legacy trust stores.

To me, it sounds like they're trying to consolidate their image under the
"Symantec" brand by moving browsers off the old "Verisign" root, but they
don't think they can move code signing. However, since code signing is outside
the scope of CAB, they're stopping their audits.

Or at least, that's my take.

------
svenfaw
By the way, a bunch of preloaded OEM binaries on ASUS machines are signed with
that very certificate.

------
yuhong
This is one of the old VeriSign 1024-bit roots. This and most of the other
1024-bit roots was removed or restricted to email in Mozilla some time ago
(last remaining one is Equifax). They had been consider obsolete for a long
time.

~~~
magicalist
Yes, more information here:
[https://blog.mozilla.org/security/2014/09/08/phasing-out-
cer...](https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-
with-1024-bit-rsa-keys/)

