On 15/10/15 10:54, Rob Stradling wrote: > Rick, your report [1] states that... > > "...the certificates never left Symantec's secure test labs or the
A charitable reading of this might be "the private keys never left...". But yes, it might help to have more details on what exactly is being claimed here. > QA test machine, and they were never visible to any end user... > One of these test certificates with a CN=www.google.com was an > Extended Validation (EV) test certificate and was logged to public > Certificate Transparency (CT) log servers" > > IIUC, this statement claims that, out of all the certs/precerts listed > in [2], the www.google.com precertificate [3] is the only one that "left > Symantec's secure test labs". It would be helpful to know if the test certificate generation software logged the certs it generated to CT. If so, would we not expect more of them to be there? If not, how did some of them end up there? Were they placed there manually as part of the test? > - an EV cert for 123Symantec.com - see [6]. Note that that cert has a SAN for "san2.com", which is a domain owned by someone other than Symantec. > Also, when I looked for evidence of any of the other certs in [2] in > some of our historical SSL crawler logs, I was surprised to find that... These findings are indeed surprising, although it seems more likely that there are problems with Symantec's list than threats to the CA system. Previous Symantec test certs I've seen have had Symantec in the O field, which is not true for these. Rick: how are you determining which certs to add to your list? Are the ones Rob has found in the wild mistaken additions, or were they in fact test certs which were supposed not to leave the lab? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
