Hi Steve and Rick,

You have told me that you are considering your response(s) to the
Symantec issues list, which is fine. Based on the list and further
discussions which have been happening in m.d.s.policy, and on your
recent audit publication, I thought it would be helpful to give a few
specific questions that we are seeking answers to. (This should in no
way be seen as trying to limit what else Symantec may wish to say.) It
would be most convenient if you were to post the answers as a reply
message in m.d.s.policy.

Q1) Symantec's audit for 2014-2015:
says on page 11:

"We noted that audit reports were not obtained during the examination
period for 2 of 5 external partner subordinate CAs signed by the
GeoTrust Global CA and managed by contracted third parties as part of
the GeoRoot service). In addition, the report obtained for 1 of 5
external partner subordinate CAs was not in accordance with permitted
audit schemes.

Furthermore, in lieu of third party audits completed by delegated third
parties, no out-of-band mechanisms were used to confirm the authenticity
of the certificate requests, or the information supporting the
certificate and internal reviews were not performed by Symantec to
determine third party compliance with baseline requirements.

For the 2 external partners where reports were not obtained during the
examination period, one external partner’s subordinate CA has since
expired and Symantec subsequently received an audit report for the
other. For the other external partner, Symantec reviewed the report
obtained and requested that their next report be in accordance with
permitted audit schemes."

  A) Can you please identify all of the companies referenced here, by
putting names to each reference?

  B) When the second paragraph, beginning "Furthermore", refers to
"delegated third parties", does it mean the same five subordinate CAs as
the first paragraph, or does it refer to the RA program that you
recently shut down?

  C) If it refers to the same subordinate CAs, can you explain how the
RA audits for CrossCert, Certisign, Certsuperior, and Certisur featured
in the 2014-2015 auditing process? Where they examined by KPMG?

Q2) Please give the names of all companies who have been in your RA
program recently enough that there still exist unexpired certificates
which were issued by them, and their start and end dates in the program.
Although we have had some of this information before, for completeness
please provide links to all audits for each company.

Q3) Please give the names of all companies who have been in your GeoRoot
program recently enough that there still exist unexpired certificates
which were issued by them, and their start and end dates in the program.
Please provide links to all audits for each company.

Q4) Are there any other programs Symantec runs or has run in the past
five years, other than the recently-terminated RA program and the
GeoRoot program, which puts either the power of domain ownership
validation or the power of certificate issuance in the hands of an
organization other than Symantec or its Affiliates? If so, please give
details of the program, and lists of companies, dates and any applicable
audits as outlined above.

Q5) You have recently released your 2016 audits, split into two parts at
June 16th (6.5 months into the 12-month period). The audits for the
first six months contain almost all of the qualifications that the 2015
audits have. Please can you give exact or approximate dates for "start
of issue", "discovery of issue" and "problem fixed/ceased" for each of
the following issues which led to a qualification:

  A) Test certificates issued for domains Symantec did not own or
  B) Failure to maintain physical security records for 7 years
  C) Unauthorized employees with access to certificate issuance
  D) Failure to review application and system logs
  E) Background checks not renewed for trusted personnel after 5 years

Q6) The management assertions in the audits for neither the first-half
nor the second-half of 2016 contain any qualification related to the
audit status of either your GeoRoot or RA program partners. Does this
indicate that Symantec felt that all partners in these programs were in
good standing audit-wise during the period from December 1st 2015 to
November 31st 2016?

Q7) In your comments at the time on what is now labelled Issue D, the
misissuance of test certificates, you wrote:

"First, we continued to issue internal test certificates to unregistered
domains after the April 2014 change in the Baseline Requirements that
removed authorization to do so."

By "the April 2014 change", do you mean by ballot 112?
If so, can you explain how you see this ballot as affecting the
correctness or otherwise of issuing certificate for unregistered domains?

Many thanks for your time and attention,


dev-security-policy mailing list

Reply via email to