Steve, Have you had a chance to review these questions? Considering that these are all about existing practices, and as a CA should be readily available and easy to answer, I'm hoping you can reply by end of day.
Please consider this a formal request from Google as part of investigating this incident. On Mon, Jan 23, 2017 at 5:58 PM, Ryan Sleevi <r...@sleevi.com> wrote: > Steve, > > While I understand that your investigation is ongoing, this does seem > extremely similar, if not identical, to Symantec's previous misissuance. > > In that previous incident, Symantec took a number of steps - beginning > with reportedly immediately terminating the employees responsible and then > continuing to a comprehensive system overhaul, as detailed at > https://www.symantec.com/page.jsp?id=test-certs-update# > > What is particularly concerning here is that your current explanations > suggest that either they are incomplete, or that Symantec's previous > answers were either misleading or incorrect. This is extremely concerning, > and I'm hoping you can clarify with answers to the following questions, > independent of your ongoing investigation and as soon as possible: > > 1) In response to the previous incident, Symantec indicated they hold a > "no compromise" bar for such breaches in the post titled "A tough day as > leaders". [1] > a) Do you believe that the steps to "reduce privileges" represent a > consistent application of that standard? > b) If not, what additional steps are you taking, consistent with your > "no compromise" standard? > > 2) In response to the previous incident, Symantec indicated that the use > of any privileged test tool would require senior leader justification from > both QA and Production Operations teams and approvals from the heads of > Engineering and Policy Compliance. [2] > a) Did Symantec mean that this was limited to validations performed by > Symantec, and not that of Registration Authorities fulfilling the duties > pursuant to Section 1.3.2 of the Baseline Requirements? > b) At the time Symantec made this statement, did Symantec have any > Registration Authorities fulfilling the duties pursuant to Section 1.3.2 of > the Baseline Requirements? > c) If such a statement was meant to be limited to Symantec, and not that > of Registration Authorities, why did Symantec not feel it was appropriate > to highlight that it did not extend to activities performed by Registration > Authorities? > d) If such a statement was not meant to be limited to Symantec, was such > a justification provided, and approvals granted, for the tool that allowed > such Registration Authorities to issue these certificates? > > 3) In response to the previous incident, Symantec indicated a > comprehensive review of issuance privileges was conducted to ensure only > authorized personnel have the ability to issue certificates, and that a > quarterly access review would be conducted to ensure this. [2] > a) Did such comprehensive review include that of Registration > Authorities? > b) If not, why did Symantec not disclose that Registration Authorities > were excluded? > c) Is Symantec currently performing access reviews of Registration > Authorities? > d) If so, when does Symantec expect this to be completed? > > 4) In response to the previous incident, Symantec indicated it updated its > internal policies and procedures for test certificates as used for > commercial certificates. Further, it indicated that QA engineers and > authentication personnel were trained on updated practices for test > certificates. [2] > a) Did Symantec include Registration Authorities in the scope of that > training? > b) If not, why did Symantec not disclose that Registration Authorities > were excluded? > c) If so, why did Symantec's corrective actions for the previous > misissuance fail to prevent this continued misissuance? > > 5) You have indicated that you have at least one WebTrust audited partner > capable of causing issuance using Symantec-operated CAs. > a) Please provide a link to the audit results for each of these WebTrust > audited partners. > b) Have you suspended the capabilities of these partners until Symantec > completes its investigation? > c) If not, why not, and when do you expect to do so? > > 6) Does Symantec allow is Registration Authorities to deviate from the > policies and standards set forth by its CP, CPS, and internal policies and > controls? > a) If not, why did Symantec fail to detect that its Registration > Authorities were deviating from its policies for this long? > b) If so, where does Symantec disclose this deviation within its CP > and/or CPS? > > 7) When do you expect to provide the next update as to the ongoing > investigation? If it is not within the next three days, why? > > > Thank you for your time in answering each and every one of these questions > and providing further details, so as to help inform the broader community > as to the steps Symantec has taken and is taking to prevent continued > misissuance contrary to the Baseline Requirements and the Mozilla CA > Certificate Policy. > > [1] http://archive.is/Ro70U > [2] https://www.symantec.com/page.jsp?id=test-certs-update > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy