On 31/01/17 04:51, Steve Medin wrote: > Our response to questions up to January 27, 2017 has been posted as an > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
Quoting that document: "Q: 4) In response to the previous incident, Symantec indicated it updated its internal policies and procedures for test certificates as used for commercial certificates. Further, it indicated that QA engineers and authentication personnel were trained on updated practices for test certificates. a) Did Symantec include Registration Authorities in the scope of that training? A: We did not train partners on an issue that pertained to a tool they could not access." -- That seems to miss the point of the question somewhat. The problem in the previous incident was poor practices surrounding the issuance of test certificates, not simply the tool that was used to issue them. 1) Did Symantec do any additional training for RAs regarding the issuance of test certificates after the last incident? If not, why not? Did Symantec believe that it was very unlikely for RA personnel to make the same mistakes or have the same misunderstandings of what was appropriate as Symantec's personnel? You also write: "Category C concluded prior to that last audit’s review period." 2) Is your understanding that, when WebTrust audits are sampling, they sample only certificates issued during the review period? Or should they be sampling certificates issued during the entire period covered by the audit? If the latter, did their sampling (3%, isn't it?) hit any Category C certificates? How many certificates were in the sample pool? 3) To be totally clear: would it be correct to say that up until this point, examining WebTrust audits was the only mechanism that Symantec used to _check_ the conformance of their RAs to Symantec's CP/CPS and other requirements? (I see you give them software, and docs, and training, but was this the only _checking_ mechanism?) New question: 4) Is there any reliable programmatic way of determining, looking only at the contents of the certificate or certificate chain, that a certificate was issued by CrossCert personnel using their processes, as opposed to by Symantec personnel or by another RA? We look forward to hearing the answers to these questions and further updates on the situation with CrossCert. Thanks, Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy