On 10/28/15 2:14 PM, Kathleen Wilson wrote:
Google has blogged about this:
https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
All,
We should discuss what actions Mozilla should require of Symantec, and
what would be the penalty of not completing those actions.
Of course, we still do not have the final report from Symantec, which
may change things.
According to the article, here is what Google is requiring of Symantec:
1) as of June 1st, 2016, all certificates issued by Symantec itself will
be required to support Certificate Transparency
2) further update their public incident report with: A post-mortem
analysis that details why they did not detect the additional
certificates that we found. Details of each of the failures to uphold
the relevant Baseline Requirements and EV Guidelines and what they
believe the individual root cause was for each failure.
3) provide ... a detailed set of steps they will take to correct and
prevent each of the identified failures, as well as a timeline for when
they expect to complete such work. Symantec may consider this latter
information to be confidential and so we are not requesting that this be
made public.
4) undergo a Point-in-time Readiness Assessment and a third-party
security audit ... <to> establish Symantec’s conformance to each of
these standards: WebTrust CA, WebTrust BR, WebTrust EV
5) The third-party security audit must assess:
-- The veracity of Symantec’s claims that at no time private keys were
exposed to Symantec employees by the tool.
-- That Symantec employees could not use the tool in question to obtain
certificates for which the employee controlled the private key.
-- That Symantec’s audit logging mechanism is reasonably protected from
modification, deletion, or tampering, as described in Section 5.4.4 of
their CPS.
Do you all think we should simply require the same action items?
Is there need to duplicate all of these requirements?
Is there anything else we should require?
As always, I will appreciate your thoughtful and constructive input into
this discussion.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
