Re: [EXT] Re: Draft further questions for Symantec

2017-05-19 Thread Gervase Markham via dev-security-policy
On 15/05/17 22:08, Michael Casadevall wrote: > RA & EV: > Were all the certificates issued by the RAs uploaded to a CT log? If > not, what, if any, subsets were uploaded? > > I'm aware Symantec was required to upload certificates to CT or if it > was retroactive, but I'm unsure if that requirement

RE: [EXT] Re: Draft further questions for Symantec

2017-05-15 Thread Steve Medin via dev-security-policy
urity-policy > Sent: Monday, May 15, 2017 3:41 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: [EXT] Re: Draft further questions for Symantec > > The link in footnote [1] > https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t > 000Gmi3AAC=File__

Re: [EXT] Re: Draft further questions for Symantec

2017-05-15 Thread Michael Casadevall via dev-security-policy
I took a stab at trying to grok this. I find I have more questions and a lot more concerns the more I read though. Please let me know if I'm not the only one having issues decoding the responses. Here's my first impressions: RA & EV: Were all the certificates issued by the RAs uploaded to a CT

Re: [EXT] Re: Draft further questions for Symantec

2017-05-15 Thread urijah--- via dev-security-policy
urity-policy > > Sent: Wednesday, May 10, 2017 7:06 AM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: [EXT] Re: Draft further questions for Symantec > > > > On 08/05/17 13:24, Gervase Markham wrote: > > > 8) Please explain how the Man

RE: [EXT] Re: Draft further questions for Symantec

2017-05-15 Thread Steve Medin via dev-security-policy
> Gervase Markham via dev-security-policy > Sent: Wednesday, May 10, 2017 7:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT] Re: Draft further questions for Symantec > > On 08/05/17 13:24, Gervase Markham wrote: > > 8) Please explain how the Manage

Re: Draft further questions for Symantec

2017-05-10 Thread Gervase Markham via dev-security-policy
On 08/05/17 13:24, Gervase Markham wrote: > 8) Please explain how the Management Assertions for your December 2014 Strike this question; it's based on a misunderstanding of how audits are done. Let's add: 10) Do you agree that, during the period of time that Symantec cross-signed the Federal

Re: Draft further questions for Symantec

2017-05-08 Thread wizard--- via dev-security-policy
In addition to requesting disclosure of intermediates that have been (even if not currently are) able to issue server certs, and the catchall, both of which seem excellent, I encourage Mozilla to consider asking these questions as part of an implemented remedy plan. That is, put in motion

Re: Draft further questions for Symantec

2017-05-08 Thread richmoore44--- via dev-security-policy
On Monday, May 8, 2017 at 1:24:28 PM UTC+1, Gervase Markham wrote: > I think it might be appropriate to have a further round of questions to > Symantec from Mozilla, to try and get some clarity on some outstanding > and concerning issues. Here are some _proposed_ questions; feel free to > suggest

Re: Draft further questions for Symantec

2017-05-08 Thread urijah--- via dev-security-policy
It may be necessary to expand that definition to intermediates that were capable of issuing certificates within the past year (or longer). On Monday, May 8, 2017 at 9:31:21 AM UTC-4, Alex Gaynor wrote: > I'm not the best way to phrase this, so please forgive the bluntness, but I > think it'd be

Re: Draft further questions for Symantec

2017-05-08 Thread Alex Gaynor via dev-security-policy
Thanks Kurt. Alex On Mon, May 8, 2017 at 11:22 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2017-05-08 15:31, Alex Gaynor wrote: > >> I'm not the best way to phrase this, so please forgive the bluntness, but >> I >> think it'd be appropriate to

Re: Draft further questions for Symantec

2017-05-08 Thread Alex Gaynor via dev-security-policy
I'm not the best way to phrase this, so please forgive the bluntness, but I think it'd be appropriate to ask at this point if Symantec has disclosed all necessary intermediates (I believe this would be defined as: chain to their roots in our trust store, are not expired, are not revoked, and are

Re: Draft further questions for Symantec

2017-05-08 Thread Kurt Roeckx via dev-security-policy
On 2017-05-08 14:24, Gervase Markham wrote: 1) Did any of the RAs in your program (CrossCert and co.) have the technical ability to independently issue EV certificates? If they did not not, given that they had issuance capability from intermediates which chained up to EV-enabled roots, what

Draft further questions for Symantec

2017-05-08 Thread Gervase Markham via dev-security-policy
I think it might be appropriate to have a further round of questions to Symantec from Mozilla, to try and get some clarity on some outstanding and concerning issues. Here are some _proposed_ questions; feel free to suggest modifications or other questions, and I will decide what to send officially