Hi Steve, Quick questions:
1) You stated that this partner program applies to non-TLS certificates. The audit for both STN and for the RAs fails to make this distinction. For example, audits are listed related to the issuance of of TLS certificates. a) How do you explain this discrepancy? b) Given the scope of the audit includes such matters, how do you believe an auditor for such an RA would observe such evidence of demonstration, appropriate to its formation of an opinion of those operations? c) What documentation, if any, is provided to distinguish these RAs? 2) What technical restrictions, if any, exist to ensure that RAs do not issue TLS certificates? a) Does Symantec enforce technical controls? a.i) If so, how should the community be assured that the technical controls will not suffer issues of override, like in Issue T? a.ii) If so, how should the community be assured that the technical controls will not suffer implementation issues, like in Issue E and Issue H and Issue J? a.iii) If not, why not? b) Does Symantec enforce periodic reviews? a.i) If so, to what percentage? a.ii) If so, has that percentage changed in light of Issue T? a.iii) If not, why not? c) Are there any other controls that Symantec feels appropriate to disclosure to appropriately assure the community that such RA partners have no technical or procedure ability to cause the issuance of TLS certificates? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy