A. A Certificate Authority signs all certificates that it issues with its private key. The corresponding Certificate Authority public key is itself contained within a certificate, called a CA Certificate. A browser must contain this CA Certificate in its "Trusted Root Library" in order to "trust" certificates signed by the CA's private key.

The Symantec/RSA Secure Server Certificate Authority private key is used to sign most of the SSL Certificates that Symantec issues to its customers. All Netscape browsers since version 2.0 contain the Symantec/RSA Secure Server Certificate Authority Certificate, and therefore, all browsers currently trust Symantec certificates. Other important Symantec CA certificates that are in Trusted Root Libraries include those that correspond to the private keys of the three Symantec Public CA Root certificates: PCA 1 and PCA 2 are used to sign client Digital Certificates, and PCA 3 is used to sign Symantec's Secure Site Pro IDs.

CA certificates are assigned a finite lifetime and expiration date; however, SSL sessions still take place between Web site servers and client browsers even when the current date is beyond the root certificate's expiration date in the Root Library.

Q. What is periodic root certificate expiration and why does it occur?

A. Periodic root certificate expiration, or root rollover, is the systematic expiration of CA certificates. CA Certificates are only issued for a finite period by design, because as computer technology improves, older generations of encryption technology become vulnerable due to newer, more powerful computers. As the world's leading CA (Symantec is the only CA that is audited by KPMG annually for adherence to its practices), Symantec wants to limit the extent of older technology in circulation and to reduce the risk associated with older products being more susceptible to attack. So, Symantec issues root certificates that expire in 5 or 10 year periods. When Symantec issued its first CA Certificate in 1995, it set an expiration date for that root certificate of December 31, 1999. Consequently, the CA certificates in the Trusted Root Libraries of certain older browsers will expire on December 31, 1999.

Q. What is a similar example that I am familiar with?

A. The CA Certificate functions like a credit card, which is only valid for a finite period and then expires on a predetermined date. When the credit card expires, the issuing credit card company "revokes" the old card and issues a new card to the customer. Symantec and other Certificate Authorities function similarly by issuing a CA Certificate for a limited period of time and then issues another new CA Certificate after the previous one expires.

Q. How do I know if I'm affected by periodic root certificate expiration?

A. Symantec's root certificates are present in 98% of the browsers available - more than any other CA in the world. If you are using a Netscape browser Version 4.05 or earlier, then you are affected. Most Microsoft users are not affected by this problem because the earlier versions of their browsers do not check for the expiration date of the CA certificates, and Symantec's most current root certificates are installed in IE 4.0 browsers and beyond. Also, a bug in Internet Explorer 4.5 for Macintosh will affect users' experience of secured Web pages.

Symantec has developed the Browser Security Update tool to "sniff" your browser and tell you what version of the Netscape browser you are using. Please visit http://verisign.netscape.com/security/rootcert/ to run the free tool and find out in seconds if your browser is affected.

Q. How widespread is root certificate expiration among Internet users?

A. There is no impact on Microsoft browsers, which cover 72% of the market with the exception of Microsoft Internet Explorer 4.01 and 4.5 for Macintosh.

Symantec's pending root certificate expiration (1/1/2000) is localised to a very small and rapidly decreasing percentage of Netscape users.

Netscape and Symantec estimate that only between 10-15% of today's Netscape user base is currently affected (i.e. Netscape browser 4.05 or earlier). However, this population is rapidly decreasing, and is expected to quickly fall to less than 4% by 12/31/99 as Netscape users continue to upgrade their browsers.

Symantec's most current root certificates are installed in each of the last seven Netscape browsers: 4.06, 4.07, 4.08, 4.5, 4.5.1, 4.6, 4.7. They will also continue to be be automatically included in all future browser releases. Anyone who upgrades this year from between 3.x and 4.x versions of Netscape will go to at least version 4.08, and thus be unaffected.

Q. Is the periodic root certificate expiration a security problem?

A. The user will encounter a dialog box indicating that the root certificate has expired and prompting the user to check your computer's clock. Users are given the option to continue. Users who choose to continue will establish an authenticated and encrypted SSL session. However, users of export versions of Netscape browsers 4.04 and earlier will establish SSL sessions at 40 bits, rather than at 128 bits, when accessing sites secured with a Symantec Secure Site Pro ID. However, Symantec and Netscape recommend that users upgrade their browsers to to the most recent version at the next convenient opportunity.

Q. Does root certificate expiration increase the likelihood that my information will be compromised?

A. SSL will still be active for the session, so all information passed between your browser and the Web site server with which you are communicating will be encrypted. Users who choose to continue will establish an authenticated and encrypted SSL session. However, users of export versions of Netscape browsers 4.04 and earlier will establish SSL sessions at 40 bits, rather than at 128 bits, when accessing sites secured with a Symantec Secure Site Pro ID.

Q. Is periodic root certificate expiration a Y2K problem?

A. No. This is not a Y2K problem, but simply the periodic expiration of CA root certificates that all Certificate Authorities experience.

Q. What about other Certificate Authorities?

A. GTE CyberTrust root certificate in versions of Netscape up to 4.05 will also expire on 12/31/99. The root certificates to which Entrust chains expired in the 3.X versions of Netscape on 6/1/98. Some root certificates used by Entrust have already expired, disabling encryption capabilities and access to secure transactions for certain versions of Netscape and Microsoft browsers.

Q. Will root certificate expiration happen again?

A. The new Symantec RSA root certificates installed in the later-version Netscape and Microsoft browsers do not expire until 2010. The Class 1, 2 and 3 PCA root certificates will expire in 2004. Symantec, Netscape and Microsoft have made every effort to ensure that the proper CA Certificates are installed in future versions of their browsers. However, none of the companies can control what versions of browsers are used. Both Microsoft and Netscape prefer that users upgrade to the most current versions of their software.

Symantec has chosen the next root certificate expiration dates to ensure that as computer technology grows more powerful, users will be motivated to use the most current software and services available to ensure the long-term integrity of the Public Key Infrastructure.

Q. Will root certificate expiration affect all Web sites?

A. No. Symantec has been working with all of the major server software vendors to ensure that the new Symantec root certificates are installed in major server software packages. Additionally, Symantec will be working with all Symantec Server ID customers to inform, educate and provide them with tools that will help visitors "sniff" their browsers and upgrade to a higher-version browser.

Q. Who is responsible for root certificate expiration?

A. As discussed above, setting reasonable root certificate expiration times is a necessity for secure computing practices. When the Symantec/RSA Secure Server CA certificate was generated in 1994, technical and practices considerations dictated that the expiration date be set at 12/31/99. This CA certificate was then placed in the Netscape 3.X browsers.

In early 1997, Symantec determined that a new CA certificate could be generated with an expiration date in 2010. Symantec provided this CA certificate to Netscape for inclusion in the 4.x browsers. However, technical limitations prevented Netscape from including this newer CA certificate in browsers from 4.01-4.05. The newer Symantec CA certificates have been included in all versions of Netscape since 4.06, which was released in mid 1998.

Q. What have Symantec and Netscape been doing to inform users of this situation?

A. Symantec and Netscape began informing people of the situation on 1/1/99 to give users a full year to upgrade their browsers. Symantec has included a notice regarding root certificate expiration as part of the standard enrolment process for server certificates since December 1998.

Q. What else are Symantec and Netscape doing to address the root certificate expiration?

A. As you may know, Symantec and Netscape announced a partnership: http://www.verisign.com/press/1999/pr_netscape.html. As part of this partnership, Symantec will serve as Netscape's premier Certificate Authority and will be work on many security-related projects.

As part of this partnership, Symantec and Netscape has unveilled a joint campaign to upgrade all users to Netscape 4.07 or higher. Upgrading offers users a smarter browser, better overall security (there are known bugs in many lower versions of browsers), and enhanced email capabilities. This fits into Netscape's plan to better integrate its browsers with Netcenter. Netscape's most current browser is 4.5, and they will be soon releasing version 5.0.

Symantec will also provide its Server ID customers with the Browser Security Update Tool tool that can be used to sniff a Web site's visitor's browser and to recommend upgrading, if necessary. Currently, many banks and financial institutions have their own browser sniffing tools that check for strong encryption ability (128-bit SSL). The campaign to upgrade browsers to at least Navigator 4.0 and IE 4.0 is being done in parallel to enable all users to use strong encryption, which will further reduce the remaining group of users that will be affected by the periodic root certificate expiration.

Symantec has implemented various communication programs to inform its customers of what the details of periodic root certificate expiration are.

Q. What steps should I take to address periodic root certificate expiration?

A. a) End user or home user? Your best and easiest solution is to upgrade your browser to Netscape Navigator 4.08 or above or to use Microsoft Internet Explorer Version 4.5 or above. Users of Internet Explorer 4.01 or 4.5 for Macintosh should upgrade to the latest version of Internet Explorer.

b) Web site merchant? Symantec has developed a full resource for Webmasters at http://www.verisign.com/server/cus/rootcert/webmaster.html

c) Enterprise user/manager? Both Netscape and Symantec will be hosting a special communications program for Enterprise customers to provide specific instructions for upgrading their Netscape browsers. Both Netscape and Symantec strongly recommend upgrading users to at least 4.07. However, Symantec and Netscape will also provide information on the use of Netscape's "Mission Control" utilities to install newer root certificates into older browsers.

d) ISP system administrator? Placing the Browser Security Update tool in your SSL or Security FAQ posted on your site would be the first step to educating your customers about the periodic root certificate expiration and what they need to do to avoid any inconvenience when accessing SSL sites. Other possible options include linking an explanation when the user enrols for your e-commerce Web hosting package. Symantec will contact its ISP channel customers with more information via a newsletter and with each Server ID Renewal notice throughout 1999.

Q. What if I don't want to upgrade my browser?

A. Simply choose "continue' to click past the root CA certificate expiration dialog box if it appears after December 31, 1999 when you access a secure Web page. Your communications with the site will be encrypted by SSL. Users who choose to continue will establish an authenticated and encrypted SSL session. However, users of export versions of Netscape browsers 4.04 and earlier will establish SSL sessions at 40 bits, rather than at 128 bits, when accessing sites secured with a Symantec Secure Site Pro ID.

Q. What do I do if I've already installed new root certificates in my Netscape Communicator browser?

A. Some users of the affected browser may have updated their browsers with new root certificates; however, these certificates may not prevent the root expiration dialog box from appearing after December 31, 1999. Symantec and Netscape recommend that all users of Netscape Communicator version 4.05 or earlier upgrade to the latest version of Netscape Communicator before December 31, 1999.

Contact Symantec

Ph:	+61 3 9674 5500
Em:	ssl_sales_AU@symantec.com
	Submit an Enquiry

Key Products

SSL Digital Certificates

Managed PKI

Gatekeeper Digital Certificates