Hi Steve, Thanks for your continued attention to this matter. Your responses open many new and important questions and which give serious question as to whether the proposed remediations are sufficient. To keep this short, and thereby allow Symantec a more rapid response:
1) Please provide the CP, CPS, and Audit Letter(s) used for each RA partner since the acquisition by Symantec of the VeriSign Trust Services business in 2010. On Fri, Feb 17, 2017 at 8:32 PM, Steve Medin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Our third response to questions, including these two below, is posted at > Bugzilla, and directly at https://bug1334377. > bmoattachments.org/attachment.cgi?id=8838825. > > > > > > From: Ryan Sleevi [mailto:r...@sleevi.com] > Sent: Friday, February 17, 2017 6:54 PM > To: Ryan Sleevi <r...@sleevi.com> > Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@ > lists.mozilla.org; Steve Medin <steve_me...@symantec.com> > Subject: Re: Misissued/Suspicious Symantec Certificates > > > > Hi Steve, > > > > Two more question to add to the list which is already pending: > > > > In [1], in response to question 5, Symantec indicated that Certisign was a > WebTrust audited partner RA, with [2] provided as evidence to this fact. > While we discussed the concerns with respect to the audit letter, > specifically in [3], questions 3 - 6, and while Symantec noted that it > would case to accept future EY Brazil audits, I have confirmed with CPA > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > licensed WebTrust practitioner, as indicated at [4]. > > > > Given that EY Brazil was not a licensed WebTrust auditor, it appears that > Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1 > [5], namely, that "(For audits conducted in accordance with the WebTrust > standard) licensed by WebTrust", which is a requirement clearly articulated > in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not > using one of the above procedures and the Delegated Third Party is not an > Enterprise RA, then the CA SHALL obtain an audit report, issued under the > auditing standards that underlie the accepted audit schemes found in > Section 8.1, ..." > > > > 1) Was Symantec's compliance team involved in the review of Certisign's > audit? > > 2) Does Symantec agree with the conclusion that, on the basis of this > evidence, Symantec failed to uphold the Baseline Requirements, independent > of any action by a Delegated Third Party? > > > > [1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933< > https://clicktime.symantec.com/a/1/6wJmuz5H2ktURSIGjev34ZuuQTad1L > RVz1nIlADR7XE=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9w > d5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntA > Wmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT > 1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK- > 4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvK > sUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7- > kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8% > 3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid% > 3D8831933> > > [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929< > https://clicktime.symantec.com/a/1/pfZiLBH0rxpzxfeiB5YSfvWdOjwpHC > 72M_rUahZJxKQ=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9w > d5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntA > Wmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT > 1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK- > 4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvK > sUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7- > kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8% > 3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid% > 3D8831929> > > [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487< > https://clicktime.symantec.com/a/1/80dDdC7HC5yMdzxfwRS0saqQ2kS5Tv > wuo_kNWaXWLCI=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9w > d5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntA > Wmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT > 1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK- > 4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvK > sUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7- > kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8% > 3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid% > 3D8836487> > > [4] http://www.webtrust.org/licensed-webtrust-practitioners-international/ > item64419.aspx > > [5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf< > https://clicktime.symantec.com/a/1/7AUAkdAzUJ1un022RuP_ > TfjD3UiY12QGLjanVeGgxhk=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9w > d5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntA > Wmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT > 1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK- > 4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvK > sUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7- > kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8% > 3D&u=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads% > 2FCA-Browser-Forum-BR-1.4.1.pdf> > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
