On 01/04/2017 16:08, Ryan Sleevi wrote:
(Wearing a personal hat) This timeline hopefully highlights a particular serious issue: If NTT Docomo is operated as part of Symantec's operations, then there are several ways to interpret Symantec's audit statements: 1) KPMG failed to include NTT Docomo as part of the 5 externally operated sub-CAs noted, and instead treated it as part of Symantec's audit. If this is true, then there is an as-yet-unidentified intermediate certificate issued as part of the GeoRoot program 2) KPMG was treating NTT Docomo as part of the 5 externally operated sub-CAs noted. If this is correct, then it is in one of three sets a) The 3/5 sub-CAs for which KPMG identified as having audit reports b) The 1/5 sub-CAs for which KPMG identified as having a deficient audit report (not appropriate to the scheme) c) The 1/5 sub-CAs for which KPMG identified Symantec as having later received an audit report for.
How about this simple explanation (purely a guess, not at all checked): KPMG was somehow sloppy in their wording (but not the auditing), listing NTT Docomo as external with audit report in one part of their audit work, yet that "NTT Docomo" audit report is actually either the very same "Symantec" audit report, or one of the other "Symantec" audit reports for a relevant period. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
