I'm not the best way to phrase this, so please forgive the bluntness, but I think it'd be appropriate to ask at this point if Symantec has disclosed all necessary intermediates (I believe this would be defined as: chain to their roots in our trust store, are not expired, are not revoked, and are not technically constrained), and would they be willing to state that if new intermediate CAs are discovered beyond that point, it would reflect either dishonesty or serious mismanagement of their PKI.
Alex On Mon, May 8, 2017 at 9:20 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2017-05-08 14:24, Gervase Markham wrote: > >> >> 1) Did any of the RAs in your program (CrossCert and co.) have the >> technical ability to independently issue EV certificates? If they did >> not not, given that they had issuance capability from intermediates >> which chained up to EV-enabled roots, what technical controls prevented >> them from having this capability? >> > > It has a duplicate "not" there. > > Issue Y >> ------- >> >> 3) Does Symantec agree that "VeriSign Class 3 SSP Intermediate CA - G2" >> and "Symantec Class 3 SSP Intermediate CA - G3", can issue certs which >> are trusted for SSL/TLS in Mozilla products (by chaining up to "VeriSign >> Universal Root Certification Authority") and yet do not have BR audits? >> > > I'm wondering if the intermediate CA certificates recently published in CT > should have it's own issue. As far as I know they should have been > disclosed much earlier. It seems that (at least now) they're all either > revoked by CRL on the 5th of May (but not disclosed as revoked) or expired > except for one (https://crt.sh/?id=132854209). > > I think they're all from "VeriSign Class 3 SSP Intermediate CA", not G2 or > G3, except that one that's not revoked. > > 4) These two intermediates have a number of sub-intermediates. Does >> Symantec agree that not all of these sub-intermediates are within the >> scope of even Symantec's NFSSP Webtrust for CAs audit?[1] If so, how >> many are in scope and how many are out of scope? If they are all in >> scope, why are they not listed in the audit document? >> > > The audit document says: "and the Symantec Non-Federal SSP – customer > specific CAs (collectively referred to as the “Non-Federal SSP CAs”)." > > For which it then says that "our examination did not extend to the > controls of external registration authorities." > > The management assertion also says: > "Controls have inherent limitations, including the possibility of human > error and the circumvention or overriding of controls. Accordingly, even > effective controls can provide only reasonable assurance with respect to > Symantec’s Non-Federal SSP CA operations. Furthermore, because of changes > in conditions, the effectiveness of controls may vary over time." > > > Kurt > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy