On Sun, Apr 2, 2017 at 11:14 PM Peter Bowen via dev-security-policy < [email protected]> wrote:
> On Fri, Mar 31, 2017 at 11:39 AM, Gervase Markham via > dev-security-policy <[email protected]> wrote: > > As we continue to consider how best to react to the most recent incident > > involving Symantec, and given that there is a question of whether it is > > part of a pattern of behaviour, it seemed best to produce an issues list > > as we did with WoSign. This means Symantec has proper opportunity to > > respond to issues raised and those responses can be documented in one > > place and the clearest overayll picture can be seen by the community. > > > > So I have prepared: > > https://wiki.mozilla.org/CA:Symantec_Issues > > > > I will now be dropping Symantec an email asking them to begin the > > process of providing whatever comment, factual correction or input they > > feel appropriate. > > > > If anyone in this group feels they have an issue which it is appropriate > > to add to the list, please send me email with the details. > > Gerv, > > I'm afraid that Issue V: RA Program Audit Issues (2013 or earlier - > January 2017) has confused RAs with subordinate CAs. > > According to > https://bug1334377.bmoattachments.org/attachment.cgi?id=8843448, > Symantec has indicated that they have (had) four unconstrained third > party RAs: CrossCert, Certisign, Certisur, and Certsuperior. These > appear to fall into what the BRs call "Delegated Third Parties". No > audit report seems to mention any issue with these RAs. > > Separately Symantec owned CAs have issued CA-certificates to several > CAs that are not operated by Symantec. These appear to include at > least Apple, Google, the US Government, Aetna, and Unicredit. The > audit reports linked from Issue V appear to have qualifications > regarding these CA-certificates. > > There are notable differences between third party owned CAs and third > party operated RAs and the difference should be clearly noted. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > Both https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf (Finding number 3) and https://www.symantec.com/content/en/us/about/media/repository/symantec-webtrust-audit-report.pdf (Finding number 1) call out Delegated Third Parties as lacking audits. This is called out separately from the matters related to sub-CAs, as "Furthermore". Given that at least some of the sub-CAs possessed and provided audits to Symantec, it does not seem to support your summary, but perhaps your point was misunderstood? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
