"While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs," Symantec said.
The company will work to minimize any potential disruption caused by Google's proposal if it goes forward, but is open to discussing the matter with Google and finding a mutually agreed-on solution.
Meanwhile, Mozilla, which manages its own root certificate program, is also considering sanctions for Symantec and might have to align them with Google's.
"Now that Google have announced their action, it is unavoidable to note that it can be preferable for two root stores considering action against a CA to take broadly parallel approaches, so that the CA is not doubly penalised for the same actions," Mozilla's Gervase Markham wrote on the organization's security policy mailing list.
However, Markham noted that Google's plan is "at the strong end" of the options he was considering and that calibrating the level of response, which has to take into account previous precedents and sanctions against other CAs, is a difficult process.
Sign up for Computerworld eNewsletters.