Hi Steve,
Quick questions:
1) You stated that this partner program applies to non-TLS certificates.
The audit for both STN and for the RAs fails to make this distinction. For
example, audits are listed related to the issuance of of TLS certificates.
a) How do you explain this discrepancy?
b) Given the scope of the audit includes such matters, how do you believe
an auditor for such an RA would observe such evidence of demonstration,
appropriate to its formation of an opinion of those operations?
c) What documentation, if any, is provided to distinguish these RAs?
2) What technical restrictions, if any, exist to ensure that RAs do not
issue TLS certificates?
a) Does Symantec enforce technical controls?
a.i) If so, how should the community be assured that the technical
controls will not suffer issues of override, like in Issue T?
a.ii) If so, how should the community be assured that the technical
controls will not suffer implementation issues, like in Issue E and Issue H
and Issue J?
a.iii) If not, why not?
b) Does Symantec enforce periodic reviews?
a.i) If so, to what percentage?
a.ii) If so, has that percentage changed in light of Issue T?
a.iii) If not, why not?
c) Are there any other controls that Symantec feels appropriate to
disclosure to appropriately assure the community that such RA partners have
no technical or procedure ability to cause the issuance of TLS certificates?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
