On 10/28/15 21:30, Kathleen Wilson wrote: > On 10/28/15 2:14 PM, Kathleen Wilson wrote: >> Google has blogged about this: >> >> https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html >> >> > > All, > > We should discuss what actions Mozilla should require of Symantec, and what > would be the penalty of not completing those actions. > > Of course, we still do not have the final report from Symantec, which may > change > things. > > According to the article, here is what Google is requiring of Symantec: > > 1) as of June 1st, 2016, all certificates issued by Symantec itself will be > required to support Certificate Transparency > > 2) further update their public incident report with: A post-mortem analysis > that > details why they did not detect the additional certificates that we found. > Details of each of the failures to uphold the relevant Baseline Requirements > and > EV Guidelines and what they believe the individual root cause was for each > failure.
Based on the tone of Symantec's blog post, I fear such an assessment will have root causes like "employees failed to follow written domain validation procedures". Such a result would be unfortunate, because it would provide little insight into how the BRs and Mozilla's policies can be changed to prevent misissuance in the future. If the root cause is going to be "human error" of that sort, Mozilla should try to obtain an understanding of Symantec's procedures that should have prevented it (training, policy compliance monitoring, automation/UX provided by certificate issuance tools, availability of test CAs, etc.). [snip] > Do you all think we should simply require the same action items? > > Is there need to duplicate all of these requirements? > > Is there anything else we should require? On an different issue, I am curious whether any of the misissued certificates were reviewed as part of the quarterly self-audit of a 3% random sample of certificates required by the BRs. > > As always, I will appreciate your thoughtful and constructive input into this > discussion. > > Kathleen > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
