On Sat, Apr 1, 2017 at 12:57 AM, Peter Bowen <pzbo...@gmail.com> wrote:

> (Wearing my personal hat)
> Ryan,
> I haven't reviewed the audit reports myself, but I'll assume all you
> wrote is true.  However, I think it is important to consider it in the
> appropriate context.

> The GeoRoot program was very similar to that offered by many CAs a few
> years ago.  CyberTrust (then Verizon, now DigiCert) has the OmniRoot
> program, Entrust has a root signing program[1], and GlobalSign Trusted
> Root[2] are just a few examples.
> In almost every case the transition to requiring complete unqualified
> audits of the subordinates by a licensed practitioner was a rocky one.
> See DigiCert's thread
> (https://groups.google.com/d/msg/mozilla.dev.security.
> policy/tHUcqnWPt3o/U2U__7-UBQAJ)
> about the OmniRoot program or look at the audits available for some of
> the Entrust subordinates.
> I'm not suggesting that the GeoRoot subordinate issues should not be
> considered, but it seems the GeoRoot program was not notably
> exceptional a few years ago.

(Wearing a personal hat)


There are a few issues to unpack from your reply. I think we're in
agreement that GeoRoot was by no means unique as an offering. I think, when
considering severity, it's important to instead focus on what the CAs
obligations were, what they were aware of, and what they did in response.
Further, in considering the broader scope of attempted remediation, it's
important to consider what risks were or are present as a result of this,
because it significantly impacts the ability to trust the existing set of
issued certificates.

On 2014-05-13, Mozilla requested all participating CAs disclose their
externally operated subordinate CAs. [1]
On 2014-06-03, Symantec reported it disclosed its sub-CAs in [2]
On 2015-04-06, Kathleen pointed out Symantec's disclosure was incomplete,
in [3] and [4]
On 2016-03-29, Symantec informed Google that there were 5 participants in
their GeoRoot program - Aetna, Google, Unicredit, Apple, NTT Docomo (DKHS).
On 2016-05-11 (or later), Symantec received Aetna's audit.
On 2016-05-13, Symantec's most recent audit for the Geotrust roots was made
available [5], which states there were 5 external partner subordinate CAs.
The timing of Aetna's letter suggests that this may be the audit that
"Symantec subsequently received an audit report for the other" - but that
cannot be confirmed without further detail from KPMG and Symantec.
On 2016-06-28, Symantec informs Google that NTT Docomo is part of
Symantec's audit, not separately audited.

This timeline hopefully highlights a particular serious issue: If NTT
Docomo is operated as part of Symantec's operations, then there are several
ways to interpret Symantec's audit statements:
1) KPMG failed to include NTT Docomo as part of the 5 externally operated
sub-CAs noted, and instead treated it as part of Symantec's audit. If this
is true, then there is an as-yet-unidentified intermediate certificate
issued as part of the GeoRoot program
2) KPMG was treating NTT Docomo as part of the 5 externally operated
sub-CAs noted. If this is correct, then it is in one of three sets
  a) The 3/5 sub-CAs for which KPMG identified as having audit reports
  b) The 1/5 sub-CAs for which KPMG identified as having a deficient audit
report (not appropriate to the scheme)
  c) The 1/5 sub-CAs for which KPMG identified Symantec as having later
received an audit report for.

If 2 is correct, then it's unclear of which set Aetna belongs to - that is,
if NTT Docomo is 2a, then Aetna is either 2b/2c, and it suggests that KPMG
may have been incomplete in its examination of the 2a set. If NTT Docomo is
2b, then Aetna is either 2a/2c, but calls into question Symantec's
operations if they were themselves operating this root, as it was not part
of the scope of the audit. If NTT Docomo is 2c, then Aetna is either 2a/2b,
both of which would call into question KPMG. Any of these possibilities is
quite troubling, but nowhere near as troubling as the possibility of 1,
which would imply an undisclosed sub-CA.

Based on the information provided by Unicredit, Unicredit would appear to
be 2b, because it was not performed by a licensed WebTrust practitioner to
the appropriate standards. Based on the information provided, Aetna would
seem to be 2c, but that would require confirmation from Symantec or KPMG.
This means that NTT Docomo is either 2a or 2c - either of which should be

Independent of any questions regarding how other CAs (such as the
critically mismanaged Omniroot program) responded to disclosure, the
questions about the scope of "which sub-CAs were examined by KPMG" is very
much relevant to the discussion at hand, and gets to the heart of whether
or not there can be sufficient confidence to trust the existing set of
certificates. This also sets aside the question about whether or not
Symantec can/should be trusted going forward. It also highlights the limits
of relying on a report such as [5], which may note the existence of audit
reports for externally operated sub-CAs, but in no way identifies their
significance in terms of security criticality. This, in turn, should cause
a re-examination of [6], and the thoughtful introspection about whether or
not it's possible to trust the existing set of certificates.

[1] https://wiki.mozilla.org/CA:Communications#May_13.2C_2014
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1019860
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1151348#c2
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1019860#c5
dev-security-policy mailing list

Reply via email to