Hi Steve and Rick, You have told me that you are considering your response(s) to the Symantec issues list, which is fine. Based on the list and further discussions which have been happening in m.d.s.policy, and on your recent audit publication, I thought it would be helpful to give a few specific questions that we are seeking answers to. (This should in no way be seen as trying to limit what else Symantec may wish to say.) It would be most convenient if you were to post the answers as a reply message in m.d.s.policy.
Q1) Symantec's audit for 2014-2015: https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf says on page 11: "We noted that audit reports were not obtained during the examination period for 2 of 5 external partner subordinate CAs signed by the GeoTrust Global CA and managed by contracted third parties as part of the GeoRoot service). In addition, the report obtained for 1 of 5 external partner subordinate CAs was not in accordance with permitted audit schemes. Furthermore, in lieu of third party audits completed by delegated third parties, no out-of-band mechanisms were used to confirm the authenticity of the certificate requests, or the information supporting the certificate and internal reviews were not performed by Symantec to determine third party compliance with baseline requirements. For the 2 external partners where reports were not obtained during the examination period, one external partner’s subordinate CA has since expired and Symantec subsequently received an audit report for the other. For the other external partner, Symantec reviewed the report obtained and requested that their next report be in accordance with permitted audit schemes." A) Can you please identify all of the companies referenced here, by putting names to each reference? B) When the second paragraph, beginning "Furthermore", refers to "delegated third parties", does it mean the same five subordinate CAs as the first paragraph, or does it refer to the RA program that you recently shut down? C) If it refers to the same subordinate CAs, can you explain how the RA audits for CrossCert, Certisign, Certsuperior, and Certisur featured in the 2014-2015 auditing process? Where they examined by KPMG? Q2) Please give the names of all companies who have been in your RA program recently enough that there still exist unexpired certificates which were issued by them, and their start and end dates in the program. Although we have had some of this information before, for completeness please provide links to all audits for each company. Q3) Please give the names of all companies who have been in your GeoRoot program recently enough that there still exist unexpired certificates which were issued by them, and their start and end dates in the program. Please provide links to all audits for each company. Q4) Are there any other programs Symantec runs or has run in the past five years, other than the recently-terminated RA program and the GeoRoot program, which puts either the power of domain ownership validation or the power of certificate issuance in the hands of an organization other than Symantec or its Affiliates? If so, please give details of the program, and lists of companies, dates and any applicable audits as outlined above. Q5) You have recently released your 2016 audits, split into two parts at June 16th (6.5 months into the 12-month period). The audits for the first six months contain almost all of the qualifications that the 2015 audits have. Please can you give exact or approximate dates for "start of issue", "discovery of issue" and "problem fixed/ceased" for each of the following issues which led to a qualification: A) Test certificates issued for domains Symantec did not own or control B) Failure to maintain physical security records for 7 years C) Unauthorized employees with access to certificate issuance capability D) Failure to review application and system logs E) Background checks not renewed for trusted personnel after 5 years Q6) The management assertions in the audits for neither the first-half nor the second-half of 2016 contain any qualification related to the audit status of either your GeoRoot or RA program partners. Does this indicate that Symantec felt that all partners in these programs were in good standing audit-wise during the period from December 1st 2015 to November 31st 2016? Q7) In your comments at the time on what is now labelled Issue D, the misissuance of test certificates, you wrote: "First, we continued to issue internal test certificates to unregistered domains after the April 2014 change in the Baseline Requirements that removed authorization to do so." By "the April 2014 change", do you mean by ballot 112? https://cabforum.org/2014/04/03/ballot-112-replace-definition-internal-server-name-internal-name/ If so, can you explain how you see this ballot as affecting the correctness or otherwise of issuing certificate for unregistered domains? Many thanks for your time and attention, Gerv _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy