Re: Symantec Response X

2017-04-11 Thread Jakob Bohm via dev-security-policy
On 10/04/2017 16:58, Steve Medin wrote: Issue X: Incomplete RA Program Remediation (February - March 2017) The only Symantec RAs capable of authorizing and issuing publicly trusted SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur. Symantec continues to maintain a partn

Re: Symantec Response X

2017-04-11 Thread James Burton via dev-security-policy
On Monday, April 10, 2017 at 4:00:21 PM UTC+1, Steve Medin wrote: > Issue X: Incomplete RA Program Remediation (February - March 2017) > > The only Symantec RAs capable of authorizing and issuing publicly trusted > SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur. > Syma

Re: Symantec Response X

2017-04-11 Thread Gervase Markham via dev-security-policy
On 11/04/17 17:51, Ryan Sleevi wrote: > Also, search SSL. Not TLS :) Aha! > Further, its CPS states > > "MSC Trustgate.com is a “Processing Center,” as described in CP § > 1.1.2.1.2, which > means MSC Trustgate.com has established a secure facility housing, among > other > things, CA systems, in

Re: Symantec Response X

2017-04-11 Thread Ryan Sleevi via dev-security-policy
On Tue, Apr 11, 2017 at 12:33 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > E-Sign's CPS URL is given in its audit statement as: > https://www.e-sign.cl/uploads/cps_esign_388.pdf > > Grepping that document for "TLS" gives no hits. Can you help me so

Re: Symantec Response X

2017-04-11 Thread Gervase Markham via dev-security-policy
On 11/04/17 16:23, Ryan Sleevi wrote: > The audits mention the CP/CPS has been evaluated as part of the scope of > the audit. Yep, OK. > The CP/CPS mentions the issuance of TLS certificates as part of the > hierarchy. For example, > > "E-Sign provides its services in accordance with its Certific

Re: Symantec Response X

2017-04-11 Thread Ryan Sleevi via dev-security-policy
On Tue, Apr 11, 2017 at 6:21 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan, > > On 10/04/17 17:20, Ryan Sleevi wrote: > > 1) You stated that this partner program applies to non-TLS certificates. > > The audit for both STN and for the RAs fail

Re: Symantec Response X

2017-04-11 Thread Gervase Markham via dev-security-policy
Hi Ryan, On 10/04/17 17:20, Ryan Sleevi wrote: > 1) You stated that this partner program applies to non-TLS certificates. > The audit for both STN and for the RAs fails to make this distinction. For > example, audits are listed related to the issuance of of TLS certificates. The audits linked to

Re: Symantec Response X

2017-04-10 Thread Ryan Sleevi via dev-security-policy
Hi Steve, Quick questions: 1) You stated that this partner program applies to non-TLS certificates. The audit for both STN and for the RAs fails to make this distinction. For example, audits are listed related to the issuance of of TLS certificates. a) How do you explain this discrepancy? b)

Symantec Response X

2017-04-10 Thread Steve Medin via dev-security-policy
Issue X: Incomplete RA Program Remediation (February - March 2017) The only Symantec RAs capable of authorizing and issuing publicly trusted SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur. Symantec continues to maintain a partner program for non-TLS certificates. E-Si