Issue V: RA Program Audit Issues (2013 or earlier - January 2017) Symantec has had two different programs that involve delegated third parties associated with publicly trusted TLS and subject to third-party audits: our GeoRoot program and our RA/Affiliate program.
GeoRoot refers to our program under which intermediate CAs have been created for the sole use and independent operation by specific customers at premises under their control. RA/Affiliate for publicly trusted SSL/TLS refers to our program under which we authorize appropriately trained personnel at select RA partners to complete all steps of authentication, review and certificate issuance. We refer to the following section of Issue V of the Mozilla post: "Symantec's RAs appear to have had a history of poor compliance with the BRs and other audit requirements, facts which were known to Symantec but not disclosed to Mozilla or dealt with in appropriately comprehensive ways. Over multiple years (2013-12-01 to 2014-11-30, 2014-12-01 to 2015-11-30), Symantec's "GeoTrust" audits were qualified to say that they did not have proper audit information for some of these RAs. This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known. Also, other audit reports, despite being in hierarchies accessible for issuance by the same RAs, did not have similar qualifications (Symantec Trust Network, 2014-12-01 to 2015-11-30)." The audit findings referred to above are specifically related to audits under our GeoRoot program, not our RA program. Because GeoRoot only operates under GeoTrust roots and the associated CPS, the Symantec Trust Network and Thawte audits are fairly stated. In the GeoTrust WebTrust BR 2015-2016 period in time audit, there were five references to external partners' subordinate CAs, including: Intel, Aetna, UniCredit, Google, and Apple. Intel: https://crt.sh/?sha1=924b357fc7b9d8c9d26e41d4af4dc6c4babe90e5 Aetna: https://crt.sh/?id=33549 UniCredit: https://crt.sh/?CN=UniCredit+Subordinate+External Google: https://crt.sh/?CN=Google+Internet+Authority+G2 Apple: https://crt.sh/?CN=Apple+IST+CA%25 Separately, Symantec operates two subordinate CAs solely for NTT DoCoMo in an enterprise PKI application. These subordinate CAs had been considered part of the "GeoRoot" program as well, and we had therefore excluded them (similar to the above externally operated ones) from the list of Symantec CAs in our audits. After reviewing our approach, our compliance team determined that they should be included going forward. As such, for the 2016-2017 Period in Time, these subordinate CAs are included in the GeoTrust WebTrust for CA and BR audits. For the organizations that externally operate subordinate CAs, the previous audit issues centered on Intel, Aetna, and UniCredit. Intel's subordinate CA, which expired in 2016, was not subject to audits either contractually or by previous agreements with both Mozilla and Microsoft given its limited use. Symantec encountered challenges in getting audits for Aetna and UniCredit, as identified in our 2015-2016 Period in Time audit. After receiving a qualified audit for Aetna, dated May 11, 2016, and an assessment dated March 9, 2016 rather than a WebTrust or ETSI audit for UniCredit, we held discussions with both companies regarding termination of their issuance privileges for new certificates and complete termination of all use as of November 30, 2016. UniCredit violated the requirements that Symantec placed on it for transition and Symantec thereafter promptly revoked its subordinate CA. Aetna's subordinate CA was revoked on November 30, 2016 because they complied with the ter ms of their CRL-only wind down period. Symantec provided the letter quoted below to Google, Mozilla, Microsoft, and Apple when we shared the Point in Time Audits on September 6, 2016 to specifically address the GeoRoot audit status and remediation plan. That cover letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs. Symantec received no reponse to our letter to the browser firms and subsequently executed the plan. This activity, along with the final wind down in 2016 of the Intel subordinate CA, were in the scope of our latest audits. "Dear Browser Community: The WebTrust Point in Time audit reports have now been issued by KPMG, which had no material findings. The Point In Time is as of June 15, 2016. You can find electronic copies of the reports here: https://www.symantec.com/about/legal/repository.jsp?tab=Tab3. Please note that the last WebTrust Period in Time audit that covered December 1, 2014 through November 30, 2015, identified two audit reports for partner subordinate CAs signed by the GeoTrust Global CA that were received but were not in accordance with permitted audit schemes. The actions to address these audit reports from the partner subordinate CAs were in progress before the point in time audit started. Symantec has begun the process to terminate the agreements with both partners. One partner has ceased issuance of new certificates and the other will stop as of September 30, 2016. In both cases, Symantec will permit continued use of the subordinate CAs solely for the purpose of signing CRLs through November 30, 2016. Please reach out to Steve Medin <steve_me...@symantec.com> for any questions." We do not believe we received feedback from the browsers listed above on this approach until March 31, 2017, more than seven months later. We refer to the following section of Issue V of the Mozilla post: "We currently know of four RAs who were in Symantec's program - CrossCert, Certisign, Certsuperior, and Certisur..." CrossCert, Certisign, Certsuperior and Certisur were the RA partners authorized to authenticate and issue SSL/TLS certificates. The collection of their audits was incomplete. All of Certisign's audits are both WebTrust for CAs and SSL Baseline and were unqualified. Certsuperior's audits state that their scope was WebTrust for SSL Baseline but do not state WebTrust for CAs. Prior to 2016, Certsuperior provided WebTrust SSL Baseline audits from an unlicensed auditor. Symantec's compliance organization identified the issue in 2016. For 2016, Certsuperior provided a qualified audit by Deloitte, a WebTrust licensed auditor in Mexico. Certsuperior's audit led to immediate sanction to solve the issues detected within 90 days and to provide a Point in Time audit. They provided such audit and it was unqualified. Further, Deloitte is required to examine certificate issuance as a normal part of the WebTrust program and they did not cite any problems with Certsuperior's validation work in either audit. Accordingly, we believe certificate issuance was inspected. Symantec's compliance organization has requested that Certsuperior's next audit explicitly include the criteria in both WebTrust for CAs and WebTrust Baseline. Certisur's audits were WebTrust for CAs only. Symantec's compliance organization identified the issue and has requested that Certisur's next audit for calendar year 2016 explicitly include the criteria in both WebTrust for CAs and WebTrust Baseline. All audits received were unqualified and performed by a licensed WebTrust auditor. CrossCert's audits were WebTrust for CAs only through 2015. For 2015-2016 CrossCert provided both WebTrust for CAs and WebTrust BR audits. These audits were all unqualified and all performed by a licensed WebTrust auditor. We subsequently identified an issue with the scope of the 2015-2016 audits which is discussed in our response to issue T. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy