Steve, As captured in our private mail exchange last week, Symantec's report fails to meaningfully address each or any of the questions I raised. Google considers it of utmost urgency that Symantec share the answers to these questions, posed a week ago, and based on Symantec's multiple public statements regarding the previous misissuance. Please confirm your receipt of these questions and your intent to provide an answer to the community by end of day, so that we can consider Symantec's answers when considering appropriate next steps to protect our users. In the absence of timely information from a CA following a misissuance, it's both necessary and reasonable to consider the worst as plausible.
For your reference, https://groups.google.com/d/msg/mozilla.dev.security.policy/fyJ3EK2YOP8/chC7tXDgCQAJ On Thu, Jan 26, 2017 at 9:51 AM, Ryan Sleevi <r...@sleevi.com> wrote: > Steve, > > Have you had a chance to review these questions? Considering that these > are all about existing practices, and as a CA should be readily available > and easy to answer, I'm hoping you can reply by end of day. > > Please consider this a formal request from Google as part of investigating > this incident. > > On Mon, Jan 23, 2017 at 5:58 PM, Ryan Sleevi <r...@sleevi.com> wrote: > >> Steve, >> >> While I understand that your investigation is ongoing, this does seem >> extremely similar, if not identical, to Symantec's previous misissuance. >> >> In that previous incident, Symantec took a number of steps - beginning >> with reportedly immediately terminating the employees responsible and then >> continuing to a comprehensive system overhaul, as detailed at >> https://www.symantec.com/page.jsp?id=test-certs-update# >> >> What is particularly concerning here is that your current explanations >> suggest that either they are incomplete, or that Symantec's previous >> answers were either misleading or incorrect. This is extremely concerning, >> and I'm hoping you can clarify with answers to the following questions, >> independent of your ongoing investigation and as soon as possible: >> >> 1) In response to the previous incident, Symantec indicated they hold a >> "no compromise" bar for such breaches in the post titled "A tough day as >> leaders". [1] >> a) Do you believe that the steps to "reduce privileges" represent a >> consistent application of that standard? >> b) If not, what additional steps are you taking, consistent with your >> "no compromise" standard? >> >> 2) In response to the previous incident, Symantec indicated that the use >> of any privileged test tool would require senior leader justification from >> both QA and Production Operations teams and approvals from the heads of >> Engineering and Policy Compliance. [2] >> a) Did Symantec mean that this was limited to validations performed by >> Symantec, and not that of Registration Authorities fulfilling the duties >> pursuant to Section 1.3.2 of the Baseline Requirements? >> b) At the time Symantec made this statement, did Symantec have any >> Registration Authorities fulfilling the duties pursuant to Section 1.3.2 of >> the Baseline Requirements? >> c) If such a statement was meant to be limited to Symantec, and not >> that of Registration Authorities, why did Symantec not feel it was >> appropriate to highlight that it did not extend to activities performed by >> Registration Authorities? >> d) If such a statement was not meant to be limited to Symantec, was >> such a justification provided, and approvals granted, for the tool that >> allowed such Registration Authorities to issue these certificates? >> >> 3) In response to the previous incident, Symantec indicated a >> comprehensive review of issuance privileges was conducted to ensure only >> authorized personnel have the ability to issue certificates, and that a >> quarterly access review would be conducted to ensure this. [2] >> a) Did such comprehensive review include that of Registration >> Authorities? >> b) If not, why did Symantec not disclose that Registration Authorities >> were excluded? >> c) Is Symantec currently performing access reviews of Registration >> Authorities? >> d) If so, when does Symantec expect this to be completed? >> >> 4) In response to the previous incident, Symantec indicated it updated >> its internal policies and procedures for test certificates as used for >> commercial certificates. Further, it indicated that QA engineers and >> authentication personnel were trained on updated practices for test >> certificates. [2] >> a) Did Symantec include Registration Authorities in the scope of that >> training? >> b) If not, why did Symantec not disclose that Registration Authorities >> were excluded? >> c) If so, why did Symantec's corrective actions for the previous >> misissuance fail to prevent this continued misissuance? >> >> 5) You have indicated that you have at least one WebTrust audited partner >> capable of causing issuance using Symantec-operated CAs. >> a) Please provide a link to the audit results for each of these >> WebTrust audited partners. >> b) Have you suspended the capabilities of these partners until Symantec >> completes its investigation? >> c) If not, why not, and when do you expect to do so? >> >> 6) Does Symantec allow is Registration Authorities to deviate from the >> policies and standards set forth by its CP, CPS, and internal policies and >> controls? >> a) If not, why did Symantec fail to detect that its Registration >> Authorities were deviating from its policies for this long? >> b) If so, where does Symantec disclose this deviation within its CP >> and/or CPS? >> >> 7) When do you expect to provide the next update as to the ongoing >> investigation? If it is not within the next three days, why? >> >> >> Thank you for your time in answering each and every one of these >> questions and providing further details, so as to help inform the broader >> community as to the steps Symantec has taken and is taking to prevent >> continued misissuance contrary to the Baseline Requirements and the Mozilla >> CA Certificate Policy. >> >> [1] http://archive.is/Ro70U >> [2] https://www.symantec.com/page.jsp?id=test-certs-update >> > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy