Though Nick's email implies the announcement, for the benefit of the list,
here's Symantec's introduction at the top of their response:

Based on our investigation of CrossCert, we have concerns due to (1)
demonstrated non-compliance with processes and controls, (2) assertions of
third party auditors that need far greater oversight than we previously
expected, and (3) the fact that these issues have enabled cases of
certificate mis-issuance. As a result, we have made the decision to
terminate our partner RA program.

We will continue to work with select partners that have local market
contacts and expertise to facilitate an interface with customers and
collection of relevant documentation, however Symantec personnel will
validate 100% of all asserted identity data and control certificate
issuance going forward. We have communicated this change to each of our RA
partners, we are finalizing a transition plan, and intend to implement that
transition quickly.

In addition, to alleviate any concern by customers or relying parties on
the integrity of the certificates issued by these RA partners, Symantec
will review the validation work of 100% of issued certificates and
revalidate any where we identify any deficiency. Certificates issued with
deficient validation will be replaced and revoked. Our work will be
included in scope of our next WebTrust audits.


On Sun, Feb 12, 2017 at 1:02 PM, Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin  wrote:
> > A response is now available in Bugzilla 1334377 and directly at:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8836487
>
> Thanks for these responses Steve,
>
> I believe that Symantec's decision to terminate the RA Partner programme
> was a good one, not only in light of what's been found during this specific
> investigation, but also because it makes the CA function within Symantec
> simpler. It definitely feels as though some of the issues (big and small)
> with Symantec's CA function in the past few years grew out of complexity.
> Simpler systems are easier to correctly reason about and thus to manage
> properly.
>
> Simpler systems are also easier for the Root Programmes to oversee and for
> the Relying Parties to put their trust in. This group has fought against
> the presumption that "foreign" CAs are necessarily less trustworthy, but
> the fact is that a person who was happy with a Symantec certificate on the
> basis that it was issued by a famous US Corporation might have been very
> surprised to learn the decision to issue was actually taken by a company
> they've never heard of in Korea, or Brazil.
>
> Given Symantec's experiences here, I would recommend that Mozilla's
> routine letter to CAs might ask them if they have any similar programme and
> if so what measures they have in place to ensure their RAs or similar Third
> Parties are really living up to the standards Mozilla requires. Depending
> on the responses this might need further action from Mozilla. It would also
> make sense to ask about this during new CA enrollment. There's maybe a
> small piece of work here to figure out what sort of characteristics best
> distinguish something like Symantec's relationship with Crosscert from
> unremarkable business practices like corporate accounts to issue many
> certificates without them each being validated separately.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to