Steve, While I understand that your investigation is ongoing, this does seem extremely similar, if not identical, to Symantec's previous misissuance.
In that previous incident, Symantec took a number of steps - beginning with reportedly immediately terminating the employees responsible and then continuing to a comprehensive system overhaul, as detailed at https://www.symantec.com/page.jsp?id=test-certs-update# What is particularly concerning here is that your current explanations suggest that either they are incomplete, or that Symantec's previous answers were either misleading or incorrect. This is extremely concerning, and I'm hoping you can clarify with answers to the following questions, independent of your ongoing investigation and as soon as possible: 1) In response to the previous incident, Symantec indicated they hold a "no compromise" bar for such breaches in the post titled "A tough day as leaders". [1] a) Do you believe that the steps to "reduce privileges" represent a consistent application of that standard? b) If not, what additional steps are you taking, consistent with your "no compromise" standard? 2) In response to the previous incident, Symantec indicated that the use of any privileged test tool would require senior leader justification from both QA and Production Operations teams and approvals from the heads of Engineering and Policy Compliance. [2] a) Did Symantec mean that this was limited to validations performed by Symantec, and not that of Registration Authorities fulfilling the duties pursuant to Section 1.3.2 of the Baseline Requirements? b) At the time Symantec made this statement, did Symantec have any Registration Authorities fulfilling the duties pursuant to Section 1.3.2 of the Baseline Requirements? c) If such a statement was meant to be limited to Symantec, and not that of Registration Authorities, why did Symantec not feel it was appropriate to highlight that it did not extend to activities performed by Registration Authorities? d) If such a statement was not meant to be limited to Symantec, was such a justification provided, and approvals granted, for the tool that allowed such Registration Authorities to issue these certificates? 3) In response to the previous incident, Symantec indicated a comprehensive review of issuance privileges was conducted to ensure only authorized personnel have the ability to issue certificates, and that a quarterly access review would be conducted to ensure this. [2] a) Did such comprehensive review include that of Registration Authorities? b) If not, why did Symantec not disclose that Registration Authorities were excluded? c) Is Symantec currently performing access reviews of Registration Authorities? d) If so, when does Symantec expect this to be completed? 4) In response to the previous incident, Symantec indicated it updated its internal policies and procedures for test certificates as used for commercial certificates. Further, it indicated that QA engineers and authentication personnel were trained on updated practices for test certificates. [2] a) Did Symantec include Registration Authorities in the scope of that training? b) If not, why did Symantec not disclose that Registration Authorities were excluded? c) If so, why did Symantec's corrective actions for the previous misissuance fail to prevent this continued misissuance? 5) You have indicated that you have at least one WebTrust audited partner capable of causing issuance using Symantec-operated CAs. a) Please provide a link to the audit results for each of these WebTrust audited partners. b) Have you suspended the capabilities of these partners until Symantec completes its investigation? c) If not, why not, and when do you expect to do so? 6) Does Symantec allow is Registration Authorities to deviate from the policies and standards set forth by its CP, CPS, and internal policies and controls? a) If not, why did Symantec fail to detect that its Registration Authorities were deviating from its policies for this long? b) If so, where does Symantec disclose this deviation within its CP and/or CPS? 7) When do you expect to provide the next update as to the ongoing investigation? If it is not within the next three days, why? Thank you for your time in answering each and every one of these questions and providing further details, so as to help inform the broader community as to the steps Symantec has taken and is taking to prevent continued misissuance contrary to the Baseline Requirements and the Mozilla CA Certificate Policy. [1] http://archive.is/Ro70U [2] https://www.symantec.com/page.jsp?id=test-certs-update _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
