RE: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Steve Medin via dev-security-policy 
Our third response to questions, including these two below, is posted at 
Bugzilla, and directly at 
https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825.





From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Friday, February 17, 2017 6:54 PM
To: Ryan Sleevi 
Cc: Gervase Markham ; 
mozilla-dev-security-pol...@lists.mozilla.org; Steve Medin 

Subject: Re: Misissued/Suspicious Symantec Certificates



Hi Steve,



Two more question to add to the list which is already pending:



In [1], in response to question 5, Symantec indicated that Certisign was a 
WebTrust audited partner RA, with [2] provided as evidence to this fact. While 
we discussed the concerns with respect to the audit letter, specifically in 
[3], questions 3 - 6, and while Symantec noted that it would case to accept 
future EY Brazil audits, I have confirmed with CPA Canada that at during the 
2016 and 2017 periods, EY Brazil was not a licensed WebTrust practitioner, as 
indicated at [4].



Given that EY Brazil was not a licensed WebTrust auditor, it appears that 
Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1 [5], 
namely, that "(For audits conducted in accordance with the WebTrust standard) 
licensed by WebTrust", which is a requirement clearly articulated in Section 
8.4 of the Baseline Requirements, namely, that "If the CA is not using one of 
the above procedures and the Delegated Third Party is not an Enterprise RA, 
then the CA SHALL obtain an audit report, issued under the auditing standards 
that underlie the accepted audit schemes found in Section 8.1, ..."



1) Was Symantec's compliance team involved in the review of Certisign's audit?

2) Does Symantec agree with the conclusion that, on the basis of this evidence, 
Symantec failed to uphold the Baseline Requirements, independent of any action 
by a Delegated Third Party?



[1] 
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933

[2] 
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929

[3] 
https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487

[4] 
http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx

[5] 
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy 
On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote:
> On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> 
> > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> > > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> > > > I have confirmed with CPA
> > > > Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> > > > licensed WebTrust practitioner, as indicated at [4].
> > > >
> > > > [4]
> > > > http://www.webtrust.org/licensed-webtrust-practitioners-international/
> > item64419.aspx
> > >
> > >
> > > The footnote at the above makes that a little hard to understand--
> > >
> > > "EY refers to a member firm of Ernst & Young Global Limited.  Through a
> > license with Ernst & Young Global Limited all EY members are licensed to
> > provide WebTrust for Certification Authorities services."
> >
> 
> Thanks for highlighting this. Indeed, while confirming the list was up to
> date, I had missed the footnote.
> 
> 
> > Additionally "Ernst Young Brazil" was listed as late as March 20, 2016
> > apparently.
> >
> > https://web-beta.archive.org/web/20160320161225/http://www.
> > webtrust.org/licensed-webtrust-practitions-international/item64419.aspx
> >
> >
> The audit was dated 2017/01/24, so the historic status would be irrelevant.


Sure. The strange thing to me (and possibly not relevant to this thread) is how 
both can be true--all E  members worldwide are licensed to do WebTrust 
audits, yet E Brazil was taken *off* the WebTrust list in the latest update.

I think 
http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx
 and 
https://web-beta.archive.org/web/20160320161225/http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx
 are possibly intended to be read differently. The old list giving specific 
named firms (or branches), by country (but saying it is a list of "global 
practitioners") the new list giving many fewer firms, but the country listing 
meaning...where they are active? If WebTrust revamped their approach to 
licensing, it might be good to know why/how and when. (And I don't see anywhere 
on their site where they discuss how they license auditors at all.)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Ryan Sleevi via dev-security-policy 
On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> > > I have confirmed with CPA
> > > Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> > > licensed WebTrust practitioner, as indicated at [4].
> > >
> > > [4]
> > > http://www.webtrust.org/licensed-webtrust-practitioners-international/
> item64419.aspx
> >
> >
> > The footnote at the above makes that a little hard to understand--
> >
> > "EY refers to a member firm of Ernst & Young Global Limited.  Through a
> license with Ernst & Young Global Limited all EY members are licensed to
> provide WebTrust for Certification Authorities services."
>

Thanks for highlighting this. Indeed, while confirming the list was up to
date, I had missed the footnote.


> Additionally "Ernst Young Brazil" was listed as late as March 20, 2016
> apparently.
>
> https://web-beta.archive.org/web/20160320161225/http://www.
> webtrust.org/licensed-webtrust-practitions-international/item64419.aspx
>
>
The audit was dated 2017/01/24, so the historic status would be irrelevant.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy 
On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> > I have confirmed with CPA
> > Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> > licensed WebTrust practitioner, as indicated at [4].
> > 
> > [4]
> > http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx
> 
> 
> The footnote at the above makes that a little hard to understand--
> 
> "EY refers to a member firm of Ernst & Young Global Limited.  Through a 
> license with Ernst & Young Global Limited all EY members are licensed to 
> provide WebTrust for Certification Authorities services."


Additionally "Ernst Young Brazil" was listed as late as March 20, 2016 
apparently.

https://web-beta.archive.org/web/20160320161225/http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy 
On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> I have confirmed with CPA
> Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> licensed WebTrust practitioner, as indicated at [4].
> 
> [4]
> http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx


The footnote at the above makes that a little hard to understand--

"EY refers to a member firm of Ernst & Young Global Limited.  Through a license 
with Ernst & Young Global Limited all EY members are licensed to provide 
WebTrust for Certification Authorities services."
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Ryan Sleevi via dev-security-policy 
Hi Steve,

Two more question to add to the list which is already pending:

In [1], in response to question 5, Symantec indicated that Certisign was a
WebTrust audited partner RA, with [2] provided as evidence to this fact.
While we discussed the concerns with respect to the audit letter,
specifically in [3], questions 3 - 6, and while Symantec noted that it
would case to accept future EY Brazil audits, I have confirmed with CPA
Canada that at during the 2016 and 2017 periods, EY Brazil was not a
licensed WebTrust practitioner, as indicated at [4].

Given that EY Brazil was not a licensed WebTrust auditor, it appears that
Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1
[5], namely, that "(For audits conducted in accordance with the WebTrust
standard) licensed by WebTrust", which is a requirement clearly articulated
in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not
using one of the above procedures and the Delegated Third Party is not an
Enterprise RA, then the CA SHALL obtain an audit report, issued under the
auditing standards that underlie the accepted audit schemes found in
Section 8.1, ..."

1) Was Symantec's compliance team involved in the review of Certisign's
audit?
2) Does Symantec agree with the conclusion that, on the basis of this
evidence, Symantec failed to uphold the Baseline Requirements, independent
of any action by a Delegated Third Party?

[1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933
[2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929
[3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487
[4]
http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx
[5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy