Issue V: RA Program Audit Issues (2013 or earlier - January 2017)

Symantec has had two different programs that involve delegated third parties 
associated with publicly trusted TLS and subject to third-party audits: our 
GeoRoot program and our RA/Affiliate program.

GeoRoot refers to our program under which intermediate CAs have been created 
for the sole use and independent operation by specific customers at premises 
under their control. RA/Affiliate for publicly trusted SSL/TLS refers to our 
program under which we authorize appropriately trained personnel at select RA 
partners to complete all steps of authentication, review and certificate 
issuance.

We refer to the following section of Issue V of the Mozilla post:

"Symantec's RAs appear to have had a history of poor compliance with the BRs 
and other audit requirements, facts which were known to Symantec but not 
disclosed to Mozilla or dealt with in appropriately comprehensive ways.

Over multiple years (2013-12-01 to 2014-11-30, 2014-12-01 to 2015-11-30), 
Symantec's "GeoTrust" audits were qualified to say that they did not have 
proper audit information for some of these RAs. This information was in their 
management assertions, and repeated in the audit findings. So the poor audit 
situation was ongoing and known. Also, other audit reports, despite being in 
hierarchies accessible for issuance by the same RAs, did not have similar 
qualifications (Symantec Trust Network, 2014-12-01 to 2015-11-30)."

The audit findings referred to above are specifically related to audits under 
our GeoRoot program, not our RA program. Because GeoRoot only operates under 
GeoTrust roots and the associated CPS, the Symantec Trust Network and Thawte 
audits are fairly stated.

In the GeoTrust WebTrust BR 2015-2016 period in time audit, there were five 
references to external partners' subordinate CAs, including: Intel, Aetna, 
UniCredit, Google, and Apple.

Intel: https://crt.sh/?sha1=924b357fc7b9d8c9d26e41d4af4dc6c4babe90e5
Aetna: https://crt.sh/?id=33549
UniCredit: https://crt.sh/?CN=UniCredit+Subordinate+External
Google: https://crt.sh/?CN=Google+Internet+Authority+G2
Apple: https://crt.sh/?CN=Apple+IST+CA%25

Separately, Symantec operates two subordinate CAs solely for NTT DoCoMo in an 
enterprise PKI application. These subordinate CAs had been considered part of 
the "GeoRoot" program as well, and we had therefore excluded them (similar to 
the above externally operated ones) from the list of Symantec CAs in our 
audits. After reviewing our approach, our compliance team determined that they 
should be included going forward. As such, for the 2016-2017 Period in Time, 
these subordinate CAs are included in the GeoTrust WebTrust for CA and BR 
audits.

For the organizations that externally operate subordinate CAs, the previous 
audit issues centered on Intel, Aetna, and UniCredit. Intel's subordinate CA, 
which expired in 2016, was not subject to audits either contractually or by 
previous agreements with both Mozilla and Microsoft given its limited use. 
Symantec encountered challenges in getting audits for Aetna and UniCredit, as 
identified in our 2015-2016 Period in Time audit. After receiving a qualified 
audit for Aetna, dated May 11, 2016, and an assessment dated March 9, 2016 
rather than a WebTrust or ETSI audit for UniCredit, we held discussions with 
both companies regarding termination of their issuance privileges for new 
certificates and complete termination of all use as of November 30, 2016. 
UniCredit violated the requirements that Symantec placed on it for transition 
and Symantec thereafter promptly revoked its subordinate CA. Aetna's 
subordinate CA was revoked on November 30, 2016 because they complied with the 
ter
 ms of their CRL-only wind down period.

Symantec provided the letter quoted below to Google, Mozilla, Microsoft, and 
Apple when we shared the Point in Time Audits on September 6, 2016 to 
specifically address the GeoRoot audit status and remediation plan. That cover 
letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs.  
Symantec received no reponse to our letter to the browser firms and 
subsequently executed the plan. This activity, along with the final wind down 
in 2016 of the Intel subordinate CA, were in the scope of our latest audits.

"Dear Browser Community:
The WebTrust Point in Time audit reports have now been issued by KPMG, which 
had no material findings.  The Point In Time is as of June 15, 2016.  You can 
find electronic copies of the reports here: 
https://www.symantec.com/about/legal/repository.jsp?tab=Tab3.

Please note that the last WebTrust Period in Time audit that covered December 
1, 2014 through November 30, 2015, identified two audit reports for partner 
subordinate CAs signed by the GeoTrust Global CA that were received but were 
not in accordance with permitted audit schemes.  The actions to address these 
audit reports from the partner subordinate CAs were in progress before the 
point in time audit started.  Symantec has begun the process to terminate the 
agreements with both partners. One partner has ceased issuance of new 
certificates and the other will stop as of September 30, 2016.  In both cases, 
Symantec will permit continued use of the subordinate CAs solely for the 
purpose of signing CRLs through November 30, 2016.

Please reach out to Steve Medin <steve_me...@symantec.com> for any questions."

We do not believe we received feedback from the browsers listed above on this 
approach until March 31, 2017, more than seven months later.

We refer to the following section of Issue V of the Mozilla post:

"We currently know of four RAs who were in Symantec's program - CrossCert, 
Certisign, Certsuperior, and Certisur..."

CrossCert, Certisign, Certsuperior and Certisur were the RA partners authorized 
to authenticate and issue SSL/TLS certificates. The collection of their audits 
was incomplete.

All of Certisign's audits are both WebTrust for CAs and SSL Baseline and were 
unqualified.

Certsuperior's audits  state that their scope was WebTrust for SSL Baseline but 
do not state WebTrust for CAs. Prior to 2016, Certsuperior provided WebTrust 
SSL Baseline audits from an unlicensed auditor. Symantec's compliance 
organization identified the issue in 2016. For 2016, Certsuperior provided a 
qualified audit by Deloitte, a WebTrust licensed auditor in Mexico. 
Certsuperior's audit led to immediate sanction to solve the issues detected 
within 90 days and to provide a Point in Time audit. They provided such audit 
and it was unqualified. Further, Deloitte is required to examine certificate 
issuance as a normal part of the WebTrust program and they did not cite any 
problems with Certsuperior's validation work in either audit. Accordingly, we 
believe certificate issuance was inspected. Symantec's compliance organization 
has requested that Certsuperior's next audit explicitly include the criteria in 
both WebTrust for CAs and WebTrust Baseline.

Certisur's audits were WebTrust for CAs only. Symantec's compliance 
organization identified the issue and has requested that Certisur's next audit 
for calendar year 2016 explicitly include the criteria in both WebTrust for CAs 
and WebTrust Baseline.  All audits received were unqualified and performed by a 
licensed WebTrust auditor.

CrossCert's audits were WebTrust for CAs only through 2015. For 2015-2016 
CrossCert provided both WebTrust for CAs and WebTrust BR audits. These audits 
were all unqualified and all performed by a licensed WebTrust auditor. We 
subsequently identified an issue with the scope of the 2015-2016 audits which 
is discussed in our response to issue T.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to