RE: Misissued/Suspicious Symantec Certificates

[mailto:r...@sleevi.com] Sent: Wednesday, February 22, 2017 11:33 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com; Gervase Markham <g...@mozilla.org> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Tha

Re: Misissued/Suspicious Symantec Certificates

On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote: > WebTrust for Certification Authorities , SSL > BaselinewithNetwork Security, Version 2.0,available > at > http://www.webtrust.org/homepage‐documents/item79806.pdf. 404 - File

Re: Misissued/Suspicious Symantec Certificates

On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote: > "auditing standards that underlie the accepted audit schemes found in > Section 8.1" > > This is obviously a error in the BRs. That language is taken from > Section 8.1 and there is no list of schemes in 8.1. > > 8.4 does

Re: Misissued/Suspicious Symantec Certificates

On Fri, Feb 24, 2017 at 4:51 PM, Ryan Sleevi wrote: > > > On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote: > >> Hi Steve, >> >> Thanks for your continued attention to this matter. Your responses open >> many new and important questions and which give serious

Re: Misissued/Suspicious Symantec Certificates

"auditing standards that underlie the accepted audit schemes found in Section 8.1" This is obviously a error in the BRs. That language is taken from Section 8.1 and there is no list of schemes in 8.1. 8.4 does have a list of schemes: 1. WebTrust for Certification Authorities v2.0; 2. A national

Re: Misissued/Suspicious Symantec Certificates

On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote: > Hi Steve, > > Thanks for your continued attention to this matter. Your responses open > many new and important questions and which give serious question as to > whether the proposed remediations are sufficient. To keep this

Re: Misissued/Suspicious Symantec Certificates

I am aware of the requirements but am interested in seeing how an RA that doesn't have their own issuing cert structures the audit report. It probably looks the same, but I've never seen one (unless that is the case with the previously provided audit report). On Feb 22, 2017, at 8:48 PM, Ryan

Re: Misissued/Suspicious Symantec Certificates

On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley wrote: > Webtrust doesn't have audit criteria for RAs so the audit request may > produce interesting results. Or are you asking for the audit statement > covering the root that the RA used to issue from? That should all

Re: Misissued/Suspicious Symantec Certificates

ments.org/attachment.cgi?id=8838825. >> >> >> >> >> >> From: Ryan Sleevi [mailto:r...@sleevi.com] >> Sent: Friday, February 17, 2017 6:54 PM >> To: Ryan Sleevi <r...@sleevi.com> >> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-s

Re: Misissued/Suspicious Symantec Certificates

m> > Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@ > lists.mozilla.org; Steve Medin <steve_me...@symantec.com> > Subject: Re: Misissued/Suspicious Symantec Certificates > > > > Hi Steve, > > > > Two more question to add to the li

RE: Misissued/Suspicious Symantec Certificates

gt; Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org; Steve Medin <steve_me...@symantec.com> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Two more question to add to the list which is already pending: In [1], in response to qu

Re: Misissued/Suspicious Symantec Certificates

On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote: > On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > > > On Friday, February

Re: Misissued/Suspicious Symantec Certificates

On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > > I have confirmed with CPA >

Re: Misissued/Suspicious Symantec Certificates

On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > I have confirmed with CPA > > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > > licensed WebTrust practitioner, as indicated

Re: Misissued/Suspicious Symantec Certificates

On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > I have confirmed with CPA > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > licensed WebTrust practitioner, as indicated at [4]. > > [4] >

Re: Misissued/Suspicious Symantec Certificates

Hi Steve, Two more question to add to the list which is already pending: In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter,

Re: Misissued/Suspicious Symantec Certificates

On Mon, Feb 13, 2017 at 4:48 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Steve, > > On 12/02/17 15:27, Steve Medin wrote: > > A response is now available in Bugzilla 1334377 and directly at: > >

Re: Misissued/Suspicious Symantec Certificates

Hi Steve, On 12/02/17 15:27, Steve Medin wrote: > A response is now available in Bugzilla 1334377 and directly at: > https://bugzilla.mozilla.org/attachment.cgi?id=8836487 Thank you for this timely response. Mozilla continues to expect answers to all reasonable and polite questions posed in our

Re: Misissued/Suspicious Symantec Certificates

So after reading this, the following auditors aren't trusted by Symantec anymore: - E Korea - E Brazil The following isn't trusted by Mozilla anymore: - E Hong Kong This seems to be a worrying trend to me. Kurt On 2017-02-12 20:25, Eric Mill wrote: Also relevant are Symantec's statements

Re: Misissued/Suspicious Symantec Certificates

Also relevant are Symantec's statements about two E regional auditors. One section describes contradictions from E KR (Korea) in describing why some CrossCert issuing CAs were not in scope: • The list of CAs in the audit was produced by CrossCert and given to E KR as the scope to audit. It was

Re: Misissued/Suspicious Symantec Certificates

On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote: > A response is now available in Bugzilla 1334377 and directly at: > https://bugzilla.mozilla.org/attachment.cgi?id=8836487 Thanks for these responses Steve, I believe that Symantec's decision to terminate the RA Partner programme was

RE: Misissued/Suspicious Symantec Certificates

c.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Cc: r...@sleevi.com > Subject: Re: Misissued/Suspicious Symantec Certificates > > On 09/02/17 03:07, Ryan Sleevi wrote: > > We appreciate your attention to these questions and will thoughtfully > > consi

Re: Misissued/Suspicious Symantec Certificates

On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote: > 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur > are the only Delegated Third Parties utilized by Symantec, across all > Symantec operated CAs that are trusted by Mozilla products? Maybe Ryan has better

Re: Misissued/Suspicious Symantec Certificates

On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote: > On 31/01/17 04:51, Steve Medin wrote: > > Our response to questions up to January 27, 2017 has been posted as an > > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. > > Quoting that document: > >

Re: Misissued/Suspicious Symantec Certificates

On 05/02/17 09:47, Gervase Markham wrote: > On 05/02/17 06:20, Peter Gutmann wrote: >> That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the >> server is advertising. Hey, it would be pretty funny if the cert auditors' >> certs were broken, but it's just the browser

Re: Misissued/Suspicious Symantec Certificates

Hi Steve, On 31/01/17 03:51, Steve Medin wrote: > Our response to questions up to January 27, 2017 has been posted as an > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. It's now ten days later; are Symantec in a position to answer the next batch of questions, and also

Re: Misissued/Suspicious Symantec Certificates

On 05/02/17 06:20, Peter Gutmann wrote: > That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the > server is advertising. Hey, it would be pretty funny if the cert auditors' > certs were broken, but it's just the browser complaining about something else. That machine

Re: Misissued/Suspicious Symantec Certificates

As a side note to the main topic, I find it curious and a little disconcerting that the referred link to the E assessement of CrossCert, (outlined in Point 2 of "Additional Follow-ups") found on the document linked by Steve (here : https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038

Re: Misissued/Suspicious Symantec Certificates

On 04/02/17 14:32, Ryan Sleevi wrote: > Gerv, as the information Steve shared about their other RAs show, their > issues with RAs are not limited to CrossCert, unfortunately. Check out the > rest of the details included. Ouch. Thank you for drawing these to my attention; I had neglected to read

Re: Misissued/Suspicious Symantec Certificates

On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote: > > 4) Is there any reliable programmatic way of determining, looking only > at the contents of the certificate or certificate chain, that a > certificate was issued by CrossCert personnel using their processes, as > opposed

Re: Misissued/Suspicious Symantec Certificates

On 31/01/17 04:51, Steve Medin wrote: > Our response to questions up to January 27, 2017 has been posted as an > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. Quoting that document: "Q: 4) In response to the previous incident, Symantec indicated it updated its internal

RE: Misissued/Suspicious Symantec Certificates

e>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Misissued/Suspicious Symantec Certificates Steve, As captured in our private mail exchange last week, Symantec's report fails to meaningfully address each or any of the questions I raised. Google considers it of utmost urg

Re: Misissued/Suspicious Symantec Certificates

On Monday, 30 January 2017 17:52:34 UTC, Andrew Ayer wrote: > I would appreciate confirmation from Steve, but note that dev119money.com > is not currently a registered domain name. Ah yes, none of the names on that certificate currently exist in the Internet DNS: devhkhouse.co.kr and

Re: Misissued/Suspicious Symantec Certificates

On Fri, 27 Jan 2017 09:43:00 -0800 (PST) Nick Lamb wrote: > On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote: > > * It's not clear what the problem is with the issuance in category > > F. I don't see any mention of "dev119money.com" in Andrew's initial > >

Re: Misissued/Suspicious Symantec Certificates

On 30/01/17 12:51, Nick Lamb wrote: > CrossCert Certification Practice Statement Version 3.8.8 Effective > Date: JUNE 29, 2012 That date is interesting. The BRs require CPSes to be revised yearly. > "End-user Subscriber Certificates contain an X.501 distinguished name > in the Subject name field

Re: Misissued/Suspicious Symantec Certificates

On Monday, 30 January 2017 11:10:00 UTC, Gervase Markham wrote: > Could you point is at the parts of the CPS or other documents which led > you to that belief? I examined a great many documents since Andrew's initial report. I think the document which originally caused me to form this incorrect

Re: Misissued/Suspicious Symantec Certificates

Hi Nick, On 29/01/17 12:39, Nick Lamb wrote: > 2. It had been my assumption, based on the CPS and other documents, > that CrossCert was restricted in their use of Symantec's issuance > function to C=KR Could you point is at the parts of the CPS or other documents which led you to that belief?

Re: Misissued/Suspicious Symantec Certificates

On Sunday, 29 January 2017 02:28:53 UTC, Steve Medin wrote: > We completed our investigation of these 12 certificates by requesting > archived documentation. CrossCert was unable to produce documentation to > prove their validation as required under BR 5.4.1. We revoked all 12 > certificates

RE: Misissued/Suspicious Symantec Certificates

Symantec's auditors, KPMG, completed a scan of CrossCert certificates to detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST, KPMG provided a report that listed 12 problem certificates that were not in Andrew Ayer's report. We began an investigation into that certificate

Re: Misissued/Suspicious Symantec Certificates

On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote: > * It's not clear what the problem is with the issuance in category F. I > don't see any mention of "dev119money.com" in Andrew's initial report. > Can you explain (and provide a crt.sh link)? https://crt.sh/?id=48539119 appears to

Re: Misissued/Suspicious Symantec Certificates

Hi Steve, On 27/01/17 01:30, Steve Medin wrote: > Here is an attached PDF update regarding this certificate problem report. Thanks for the update. Here are some questions: * It's not clear what the problem is with the issuance in category F. I don't see any mention of "dev119money.com" in

Re: Misissued/Suspicious Symantec Certificates

>; mozilla-dev-security- pol...@lists.mozilla.org Subject: RE: Misissued/Suspicious Symantec Certificates The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matte

Re: Misissued/Suspicious Symantec Certificates

e- From: dev-security-policy [mailto:dev-security-policy- bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Steve Medin Sent: Saturday, January 21, 2017 9:35 AM To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security- pol...@lists.mozilla.org Subject: RE: Misissu

Re: Misissued/Suspicious Symantec Certificates

Saturday, January 21, 2017 9:35 AM > > To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security- > > pol...@lists.mozilla.org > > Subject: RE: Misissued/Suspicious Symantec Certificates > > > > The listed Symantec certificates were issued by one of our WebTrust > audited &

Re: Misissued/Suspicious Symantec Certificates

On Thursday, January 26, 2017 at 9:27:52 PM UTC-8, Steve Medin wrote: > Here is an attached PDF update regarding this certificate problem report. > > Kind regards, > Steven Medin > PKI Policy Manager, Symantec Corporation > The PDF file provided by Steven has been attached to this bug:

RE: Misissued/Suspicious Symantec Certificates

On Behalf Of Steve > Medin > Sent: Saturday, January 21, 2017 9:35 AM > To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: RE: Misissued/Suspicious Symantec Certificates > > The listed Symantec certificates were issued by one of

Re: Misissued/Suspicious Symantec Certificates

Steve, Have you had a chance to review these questions? Considering that these are all about existing practices, and as a CA should be readily available and easy to answer, I'm hoping you can reply by end of day. Please consider this a formal request from Google as part of investigating this

Re: Misissued/Suspicious Symantec Certificates

Hi Hanno, On Tue, 24 Jan 2017 10:38:01 +0100 Hanno B__ck wrote: > Hello, > > I have a few observations to share about this incident, not sure how > relevant they are. Thanks for sharing these. I found them interesting. > There are 4 "example.com" certificates related to

Re: Misissued/Suspicious Symantec Certificates

Hello, I have a few observations to share about this incident, not sure how relevant they are. There are 4 "example.com" certificates related to this incident. There are 114 "O=test" certificates that I assume are related to this incident. This includes all certificates with a "Not Before" date

Re: Misissued/Suspicious Symantec Certificates

Steve, While I understand that your investigation is ongoing, this does seem extremely similar, if not identical, to Symantec's previous misissuance. In that previous incident, Symantec took a number of steps - beginning with reportedly immediately terminating the employees responsible and then

RE: Misissued/Suspicious Symantec Certificates

The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24

Re: Misissued/Suspicious Symantec Certificates

On Thursday, 19 January 2017 21:46:38 UTC, Andrew Ayer wrote: > 2. The third certificate in the list above contains a SAN for > DNS:*.crosscert.com - note that three of the misissued example.com > certificates contain "Crosscert" in their Subject Organization. Crosscert aka Korea Electronic

RE: Misissued/Suspicious Symantec Certificates

Andrew, thank you for your efforts to report this issue. We are investigating and will report our resolution, cause analysis, and corrective actions once complete. Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation > -Original Message- > From: dev-security-policy