On 11/04/17 17:34, Ryan Sleevi wrote: > Can you clarify what issues you believe this to be related?
That is a fair question. And also hard work to answer <sigh> :-) > Given that Symantec has a routine habit of exceeding any reasonable > deadline for response, at what point do you believe it is appropriate for > the Mozilla Root Store to begin discussing what steps can or should be > taken with respect to the documented and supported incidents, which > Symantec has not provided counter-factual data? Yes, fair enough. Rick and Steve: I will be taking Symantec's statements to this group as of one week from today as the sum total of what you have to say on the subjects under discussion. After that point, we will draw conclusions based on the available data and decide on what course of action we may take. I hope that by then you will be able to answer my 8 questions, and provide responses or comments to any of Ryan's or other people's questions that you wish to address. Kathleen is on vacation this week, and so no decisions could be taken until next week at the earliest anyway. > It's unclear from your remark "Started to draw some conclusions where that > is warranted" what you see as the process and next steps. Perhaps you could > clarify what you imagine happening next, and on what timeline, to provide > clarity both to Symantec and the general population here. I must admit, I'm > quite confused as to where things stand, given that many items have > conclusions to them. See above. After one week, I will be taking stock of the assembled evidence, and will invite community members also to draw conclusions. I will then present a recommendation for what we should do next. As you know, Mozilla's process is a little fuzzy around the edges, but Kathleen is the final decision maker. (And she doesn't always agree with me :-) > With respect to the conclusion to Issue T "Symantec's reaction to the > discovery of these problems was unarguably swift and comprehensive.", I > would disagree with this. Symantec's response was not swift, relative to > other CAs that have been informed of issues. It was not comprehensive - > Symantec failed to identify the issues until question, and still maintains, > in the latest response, that there is a conclusion unsupported by the > evidence they have shared with the community. Their timeline for > responsiveness was not swift - we're still discussing this specific issue, > and it was first reported on Issue T. I would be happy to find evidence of > issues from other CAs that demonstrate a more thorough response or a more > timely response. Within a few days of discovering these issues they shut down their entire RA program. That seems pretty swift and comprehensive to me. The fact that they didn't discover these issues for years is clearly a problem, but it's not the same problem. > With respect to the conclusion to Issue T, "Their case is that WebTrust > audit monitoring should have been sufficient," it's unclear if you are > agreeing with that conclusion or simply stating Symantec claims. Stating Symantec's claims. > With respect to the conclusion to Issue V, That's not part of my conclusion, that's a quotation from Symantec which I need to check the accuracy of with Kathleen. > "to specifically address the > GeoRoot audit status and remediation plan" - this was not reflected within > https://www.symantec.com/content/en/us/about/media/repository/23_Symantec_GeoTrust_WTBR_period_end_11-30-2016.pdf > , the relevant audit for the roots, ending on 2016-11-30. I'm a little confused - I think Symantec are saying that the cover letter explains the plan to wind down the two sub-CAs, not that the audit does? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
