On Mon, Apr 10, 2017 at 10:55 AM, Steve Medin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Issue D: Test Certificate Misissuance (April 2009 - September 2015) > > Symantec has provided complete investigation results for this issue. They > can be found at https://www.symantec.com/page.jsp?id=test-certs-update# > > We would like to further clarify the following statement in this issue > summary: "Some of the test certificates (including one for www.google.com) > left Symantec's network because they were logged in CT; Symantec claims no > others did." > > We believe this statement is inaccurate for two reasons. > > First, the action of logging certificates to CT does not necessarily mean > that the certificates left Symantec's network. Beginning January 1, 2015, > Symantec began logging all EV certificates in CT log servers. Given that > certificates are logged in CT at the time of creation in our system, any > distribution of certificates that we issue is a second, independent step. > > Moreover, at the time we investigated this incident, we conducted multiple > scans for domains used in test certificates. Following a thorough > investigation process, we found no evidence that these certificates were > used on external servers. Accordingly, we have no evidence that any of the > test certificates involved in this investigation left Symantec's network. > Hi Steve, Quick questions. 1) It's clear that some of the test certificates did leave Symantec's network. The act of logging them in CT establishes this. Did you mean to state no private keys left Symantec's networks? 2) If so, doesn't your audit conclude that you lack sufficient evidence and documentation to objectively determine this, and merely _believe_ no private keys left Symantec's network? This would be consistent with your conclusion (beginning "Accordingly"), however, the existence of your response is inherently contradictory. Clarification would be greatly appreciated. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
