
Already on probation, Symantec issues more illegit HTTPS certificates - agwa
http://arstechnica.com/security/2017/01/already-on-probation-symantec-issues-more-illegit-https-certificates/
======
zie
Here is the Mozilla discussion on this, it seems they are waiting on Symantec
to investigate:

[https://groups.google.com/forum/#!topic/mozilla.dev.security...](https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/fyJ3EK2YOP8)

------
captncraig
So they're done, right? Why should we not immediately un-trust their root?

~~~
pfg
"Too big to fail" would be the usual argument. They're currently the third-
largest CA in the industry. Pulling the root completely would desensitize a
lot of users to the error interstitials, causing more harm than good.

However, a number of browsers now have experience with distrusting CAs only
after a certain cut-off date while still accepting old ones (and some even
make an attempt to prevent the CAs from bypassing that check by backdating
certificates), so Symantec is certainly treading on thin ice.

