Re: Symantec Response V
> > > Hi Steve, Some follow-up questions: 1) Symantec stated "This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known." a) Symantec did not meaningfully provide any explanation, now, or in the past, as to why it took multiple audit periods to resolve these issues. In order to establish for Relying Parties that Symantec is trustworthy and competent, please supply additional details as to why it took so long. b) On the basis of the provided information, it does not appear Symantec asked their GeoRoot partners for audits. This is also consistent with the reports from UniCredits management, and we would be happy to reach out to other GeoRoot partners regarding Symantec's communications over the past several years. Given the issues such as Aetna, do you believe Symantec had a material obligation to be diligent in obtaining an audit? c) What provisions, if any, did Symantec contractually have to ensure such audits and compliance with Symantec's CP/CPS? d) Did such provisions include the ability for Symantec to revoke such certificates for non-compliance, as required by the Baseline Requirements, Section 9.6.3? e) If not, what steps have been taken to address this in all existing and future business relationships? f) If it already existed, why did Symantec not exercise that option, as required by the Baseline Requirements, Section 4.9.1.2? g) What assurances, if any, should Relying Parties have that Symantec will execute its Baseline Requirements required obligations in the future, given its documented failures in the past? 2) Symantec states "Because GeoRoot only operates under GeoTrust roots and the associated CPS, the Symantec Trust Network and Thawte audits are fairly stated." a) It has been identified that Symantec has failed to provide BR-compliant audits for your RAs. Do you still believe this statement is accurate? b) If so, why? c) If not, have you re-evaluated every statement Symantec has made in response to these issues, to ensure that Symantec has not overlooked any other material or contradictory evidence? 3) Do you believe the actions taken with respect to Aetna and Unicredit were consistent with the Baseline Requirements? a) If so, specifically, what provisions? b) If not, what steps have you taken to ensure Symantec will abide by the Baseline Requirements in the future, as is necessary and expected for continued trust? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response V
Hi Steve, Thank you for this. Issue V was indeed somewhat confused - my apologies. I have split it into Issue V, covering GeoRoot, and Issue W, covering the RAs. On 10/04/17 15:58, Steve Medin wrote: > Separately, Symantec operates two subordinate CAs solely for NTT > DoCoMo in an enterprise PKI application. These subordinate CAs had > been considered part of the "GeoRoot" program as well, and we had > therefore excluded them (similar to the above externally operated > ones) from the list of Symantec CAs in our audits. If they were excluded from the Symantec audit, and were not one of the five GeoRoot partners who had their own audits, did these subordinate CAs fall under any audit at all in this period? > Symantec provided the letter quoted below to Google, Mozilla, > Microsoft, and Apple when we shared the Point in Time Audits on > September 6, 2016 to specifically address the GeoRoot audit status > and remediation plan. Without seeming to doubt your word, can you tell me how you supplied such a letter? Was it to certifica...@mozilla.org or directly to Kathleen? A quick search can't find it in my email archive, so a recipient, Subject and Date for the communication would be most appreciated. > All of Certisign's audits are both WebTrust for CAs and SSL Baseline > and were unqualified. The Certisign audit provided was this one: https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 It does say that Certisign complied with the Network Security Guidelines but doesn't mention the BRs and, somewhat confusingly, also says: "This report does not include any representation as to the quality of CERTISIGN - CA's services beyond those covered by the Trust Service Principles and Criteria for Certification Authorities..." which suggests this audit is only a WebTrust for CAs audit, not a BR audit. Are there audit documents missing which show that they were BR-audited? Can you clarify? > Certsuperior's audits state that their scope was WebTrust for SSL > Baseline but do not state WebTrust for CAs. Prior to 2016, > Certsuperior provided WebTrust SSL Baseline audits from an unlicensed > auditor. Symantec's compliance organization identified the issue in > 2016. For 2016, Certsuperior provided a qualified audit by Deloitte, > a WebTrust licensed auditor in Mexico. Certsuperior's audit led to > immediate sanction to solve the issues detected within 90 days and to > provide a Point in Time audit. They provided such audit and it was > unqualified. Further, Deloitte is required to examine certificate > issuance as a normal part of the WebTrust program and they did not > cite any problems with Certsuperior's validation work in either > audit. Accordingly, we believe certificate issuance was inspected. Are you saying that none of the deficiencies identified at Certsuperior, in Symantec's view, had a material effect on the quality of certificate issuance? Given that Deloitte pointed out that the CPS was illegible and there was a "lack of implemented and documented control for requested validations sent by authorized personnel", on what grounds do you state that "Deloitte ... did not cite any problems with Certsuperior's validation work"? If they can't read the CPS, how can they tell if Certsuperior is following it? > Certisur's audits were WebTrust for CAs only. Symantec's compliance > organization identified the issue and has requested that Certisur's > next audit for calendar year 2016 explicitly include the criteria in > both WebTrust for CAs and WebTrust Baseline. All audits received > were unqualified and performed by a licensed WebTrust auditor. How long has it been the case that they did not have a BR audit? > CrossCert's audits were WebTrust for CAs only through 2015. Same question. Does Symantec agree that these RAs should have had a Baseline audit for all periods when they were operating? Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Symantec Response V
Issue V: RA Program Audit Issues (2013 or earlier - January 2017) Symantec has had two different programs that involve delegated third parties associated with publicly trusted TLS and subject to third-party audits: our GeoRoot program and our RA/Affiliate program. GeoRoot refers to our program under which intermediate CAs have been created for the sole use and independent operation by specific customers at premises under their control. RA/Affiliate for publicly trusted SSL/TLS refers to our program under which we authorize appropriately trained personnel at select RA partners to complete all steps of authentication, review and certificate issuance. We refer to the following section of Issue V of the Mozilla post: "Symantec's RAs appear to have had a history of poor compliance with the BRs and other audit requirements, facts which were known to Symantec but not disclosed to Mozilla or dealt with in appropriately comprehensive ways. Over multiple years (2013-12-01 to 2014-11-30, 2014-12-01 to 2015-11-30), Symantec's "GeoTrust" audits were qualified to say that they did not have proper audit information for some of these RAs. This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known. Also, other audit reports, despite being in hierarchies accessible for issuance by the same RAs, did not have similar qualifications (Symantec Trust Network, 2014-12-01 to 2015-11-30)." The audit findings referred to above are specifically related to audits under our GeoRoot program, not our RA program. Because GeoRoot only operates under GeoTrust roots and the associated CPS, the Symantec Trust Network and Thawte audits are fairly stated. In the GeoTrust WebTrust BR 2015-2016 period in time audit, there were five references to external partners' subordinate CAs, including: Intel, Aetna, UniCredit, Google, and Apple. Intel: https://crt.sh/?sha1=924b357fc7b9d8c9d26e41d4af4dc6c4babe90e5 Aetna: https://crt.sh/?id=33549 UniCredit: https://crt.sh/?CN=UniCredit+Subordinate+External Google: https://crt.sh/?CN=Google+Internet+Authority+G2 Apple: https://crt.sh/?CN=Apple+IST+CA%25 Separately, Symantec operates two subordinate CAs solely for NTT DoCoMo in an enterprise PKI application. These subordinate CAs had been considered part of the "GeoRoot" program as well, and we had therefore excluded them (similar to the above externally operated ones) from the list of Symantec CAs in our audits. After reviewing our approach, our compliance team determined that they should be included going forward. As such, for the 2016-2017 Period in Time, these subordinate CAs are included in the GeoTrust WebTrust for CA and BR audits. For the organizations that externally operate subordinate CAs, the previous audit issues centered on Intel, Aetna, and UniCredit. Intel's subordinate CA, which expired in 2016, was not subject to audits either contractually or by previous agreements with both Mozilla and Microsoft given its limited use. Symantec encountered challenges in getting audits for Aetna and UniCredit, as identified in our 2015-2016 Period in Time audit. After receiving a qualified audit for Aetna, dated May 11, 2016, and an assessment dated March 9, 2016 rather than a WebTrust or ETSI audit for UniCredit, we held discussions with both companies regarding termination of their issuance privileges for new certificates and complete termination of all use as of November 30, 2016. UniCredit violated the requirements that Symantec placed on it for transition and Symantec thereafter promptly revoked its subordinate CA. Aetna's subordinate CA was revoked on November 30, 2016 because they complied with the ter ms of their CRL-only wind down period. Symantec provided the letter quoted below to Google, Mozilla, Microsoft, and Apple when we shared the Point in Time Audits on September 6, 2016 to specifically address the GeoRoot audit status and remediation plan. That cover letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs. Symantec received no reponse to our letter to the browser firms and subsequently executed the plan. This activity, along with the final wind down in 2016 of the Intel subordinate CA, were in the scope of our latest audits. "Dear Browser Community: The WebTrust Point in Time audit reports have now been issued by KPMG, which had no material findings. The Point In Time is as of June 15, 2016. You can find electronic copies of the reports here: https://www.symantec.com/about/legal/repository.jsp?tab=Tab3. Please note that the last WebTrust Period in Time audit that covered December 1, 2014 through November 30, 2015, identified two audit reports for partner subordinate CAs signed by the GeoTrust Global CA that were received but were not in accordance with permitted audit schemes. The actions to address these audit reports from the partner subordinate CAs were in progress