On 10/28/15 2:30 PM, Kathleen Wilson wrote:
On 10/28/15 2:14 PM, Kathleen Wilson wrote:
Google has blogged about this:
https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
All,
We should discuss what actions Mozilla should require of Symantec, and
what would be the penalty of not completing those actions.
Thanks to all of you who have been providing thoughtful and constructive
input into these discussions.
I think we should create a Bugzilla bug with the following requirements:
1) Finish helping us update OneCRL with the appropriate records
https://bugzilla.mozilla.org/show_bug.cgi?id=1214321#c20
2) Provide a set of steps Symantec will take (or has taken) to correct
and prevent each of the identified failures, as well as a timeline for
when they expect to complete such work.
3) The third-party security audit (may be part of the annual audits)
must assess:
- The veracity of Symantec’s claims that at no time private keys were
exposed to Symantec employees by the tool.
- That Symantec employees could not use the tool in question to obtain
certificates for which the employee controlled the private key.
- That Symantec’s audit logging mechanism is reasonably protected from
modification, deletion, or tampering, as described in Section 5.4.4 of
their CPS.
4) As of June 1st, 2016, all certificates issued by Symantec itself will
be required to support Certificate Transparency and be published in CT.
Other suggested action items I don't think we need to track:
- They already updated their incident report. I doubt we'll get any more
in that regard.
- Their annual audit is probably happening about now or soon, so
requiring a separate point-in-time assessment or another type of
assessment is probably duplicate effort.
- Notify all their cert holders about this incident -- I don't think
that's actually a reasonable requirement, and I don't think it improves
security, because there is no real action to suggest for the customers
-- I don't think switching to a different CA guarantees better security.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
