[mailto:r...@sleevi.com]
Sent: Wednesday, February 22, 2017 11:33 PM
To: Steve Medin <steve_me...@symantec.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com; Gervase
Markham <g...@mozilla.org>
Subject: Re: Misissued/Suspicious Symantec Certificates
Hi Steve,
Tha
On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote:
> WebTrust for Certification Authorities , SSL
> BaselinewithNetwork Security, Version 2.0,available
> at
> http://www.webtrust.org/homepage‐documents/item79806.pdf.
404 - File
On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote:
> "auditing standards that underlie the accepted audit schemes found in
> Section 8.1"
>
> This is obviously a error in the BRs. That language is taken from
> Section 8.1 and there is no list of schemes in 8.1.
>
> 8.4 does
On Fri, Feb 24, 2017 at 4:51 PM, Ryan Sleevi wrote:
>
>
> On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote:
>
>> Hi Steve,
>>
>> Thanks for your continued attention to this matter. Your responses open
>> many new and important questions and which give serious
"auditing standards that underlie the accepted audit schemes found in
Section 8.1"
This is obviously a error in the BRs. That language is taken from
Section 8.1 and there is no list of schemes in 8.1.
8.4 does have a list of schemes:
1. WebTrust for Certification Authorities v2.0;
2. A national
On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote:
> Hi Steve,
>
> Thanks for your continued attention to this matter. Your responses open
> many new and important questions and which give serious question as to
> whether the proposed remediations are sufficient. To keep this
I am aware of the requirements but am interested in seeing how an RA that
doesn't have their own issuing cert structures the audit report. It probably
looks the same, but I've never seen one (unless that is the case with the
previously provided audit report).
On Feb 22, 2017, at 8:48 PM, Ryan
On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley
wrote:
> Webtrust doesn't have audit criteria for RAs so the audit request may
> produce interesting results. Or are you asking for the audit statement
> covering the root that the RA used to issue from? That should all
ments.org/attachment.cgi?id=8838825.
>>
>>
>>
>>
>>
>> From: Ryan Sleevi [mailto:r...@sleevi.com]
>> Sent: Friday, February 17, 2017 6:54 PM
>> To: Ryan Sleevi <r...@sleevi.com>
>> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-s
m>
> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@
> lists.mozilla.org; Steve Medin <steve_me...@symantec.com>
> Subject: Re: Misissued/Suspicious Symantec Certificates
>
>
>
> Hi Steve,
>
>
>
> Two more question to add to the li
gt;
Cc: Gervase Markham <g...@mozilla.org>;
mozilla-dev-security-pol...@lists.mozilla.org; Steve Medin
<steve_me...@symantec.com>
Subject: Re: Misissued/Suspicious Symantec Certificates
Hi Steve,
Two more question to add to the list which is already pending:
In [1], in response to qu
On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote:
> On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> > > On Friday, February
On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> > > I have confirmed with CPA
>
On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> > I have confirmed with CPA
> > Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> > licensed WebTrust practitioner, as indicated
On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> I have confirmed with CPA
> Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> licensed WebTrust practitioner, as indicated at [4].
>
> [4]
>
Hi Steve,
Two more question to add to the list which is already pending:
In [1], in response to question 5, Symantec indicated that Certisign was a
WebTrust audited partner RA, with [2] provided as evidence to this fact.
While we discussed the concerns with respect to the audit letter,
On Mon, Feb 13, 2017 at 4:48 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Steve,
>
> On 12/02/17 15:27, Steve Medin wrote:
> > A response is now available in Bugzilla 1334377 and directly at:
> >
Hi Steve,
On 12/02/17 15:27, Steve Medin wrote:
> A response is now available in Bugzilla 1334377 and directly at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8836487
Thank you for this timely response. Mozilla continues to expect answers
to all reasonable and polite questions posed in our
So after reading this, the following auditors aren't trusted by Symantec
anymore:
- E Korea
- E Brazil
The following isn't trusted by Mozilla anymore:
- E Hong Kong
This seems to be a worrying trend to me.
Kurt
On 2017-02-12 20:25, Eric Mill wrote:
Also relevant are Symantec's statements
Also relevant are Symantec's statements about two E regional auditors.
One section describes contradictions from E KR (Korea) in describing why
some CrossCert issuing CAs were not in scope:
• The list of CAs in the audit was produced by CrossCert and given to E
KR as the scope to audit. It was
On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote:
> A response is now available in Bugzilla 1334377 and directly at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8836487
Thanks for these responses Steve,
I believe that Symantec's decision to terminate the RA Partner programme was
c.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Cc: r...@sleevi.com
> Subject: Re: Misissued/Suspicious Symantec Certificates
>
> On 09/02/17 03:07, Ryan Sleevi wrote:
> > We appreciate your attention to these questions and will thoughtfully
> > consi
On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote:
> 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur
> are the only Delegated Third Parties utilized by Symantec, across all
> Symantec operated CAs that are trusted by Mozilla products?
Maybe Ryan has better
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote:
> On 31/01/17 04:51, Steve Medin wrote:
> > Our response to questions up to January 27, 2017 has been posted as an
> > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
>
> Quoting that document:
>
>
On 05/02/17 09:47, Gervase Markham wrote:
> On 05/02/17 06:20, Peter Gutmann wrote:
>> That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the
>> server is advertising. Hey, it would be pretty funny if the cert auditors'
>> certs were broken, but it's just the browser
Hi Steve,
On 31/01/17 03:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an
> attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
It's now ten days later; are Symantec in a position to answer the next
batch of questions, and also
On 05/02/17 06:20, Peter Gutmann wrote:
> That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the
> server is advertising. Hey, it would be pretty funny if the cert auditors'
> certs were broken, but it's just the browser complaining about something else.
That machine
As a side note to the main topic, I find it curious and a little disconcerting
that the referred link to the E assessement of CrossCert, (outlined in Point
2 of "Additional Follow-ups") found on the document linked by Steve (here :
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038
On 04/02/17 14:32, Ryan Sleevi wrote:
> Gerv, as the information Steve shared about their other RAs show, their
> issues with RAs are not limited to CrossCert, unfortunately. Check out the
> rest of the details included.
Ouch. Thank you for drawing these to my attention; I had neglected to
read
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote:
>
> 4) Is there any reliable programmatic way of determining, looking only
> at the contents of the certificate or certificate chain, that a
> certificate was issued by CrossCert personnel using their processes, as
> opposed
On 31/01/17 04:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an
> attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
Quoting that document:
"Q: 4) In response to the previous incident, Symantec indicated it
updated its internal
e>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Misissued/Suspicious Symantec Certificates
Steve,
As captured in our private mail exchange last week, Symantec's report fails to
meaningfully address each or any of the questions I raised. Google considers
it of utmost urg
On Monday, 30 January 2017 17:52:34 UTC, Andrew Ayer wrote:
> I would appreciate confirmation from Steve, but note that dev119money.com
> is not currently a registered domain name.
Ah yes, none of the names on that certificate currently exist in the Internet
DNS: devhkhouse.co.kr and
On Fri, 27 Jan 2017 09:43:00 -0800 (PST)
Nick Lamb wrote:
> On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote:
> > * It's not clear what the problem is with the issuance in category
> > F. I don't see any mention of "dev119money.com" in Andrew's initial
> >
On 30/01/17 12:51, Nick Lamb wrote:
> CrossCert Certification Practice Statement Version 3.8.8 Effective
> Date: JUNE 29, 2012
That date is interesting. The BRs require CPSes to be revised yearly.
> "End-user Subscriber Certificates contain an X.501 distinguished name
> in the Subject name field
On Monday, 30 January 2017 11:10:00 UTC, Gervase Markham wrote:
> Could you point is at the parts of the CPS or other documents which led
> you to that belief?
I examined a great many documents since Andrew's initial report. I think the
document which originally caused me to form this incorrect
Hi Nick,
On 29/01/17 12:39, Nick Lamb wrote:
> 2. It had been my assumption, based on the CPS and other documents,
> that CrossCert was restricted in their use of Symantec's issuance
> function to C=KR
Could you point is at the parts of the CPS or other documents which led
you to that belief?
On Sunday, 29 January 2017 02:28:53 UTC, Steve Medin wrote:
> We completed our investigation of these 12 certificates by requesting
> archived documentation. CrossCert was unable to produce documentation to
> prove their validation as required under BR 5.4.1. We revoked all 12
> certificates
Symantec's auditors, KPMG, completed a scan of CrossCert certificates to
detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST,
KPMG provided a report that listed 12 problem certificates that were not in
Andrew Ayer's report. We began an investigation into that certificate
On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote:
> * It's not clear what the problem is with the issuance in category F. I
> don't see any mention of "dev119money.com" in Andrew's initial report.
> Can you explain (and provide a crt.sh link)?
https://crt.sh/?id=48539119 appears to
Hi Steve,
On 27/01/17 01:30, Steve Medin wrote:
> Here is an attached PDF update regarding this certificate problem report.
Thanks for the update. Here are some questions:
* It's not clear what the problem is with the issuance in category F. I
don't see any mention of "dev119money.com" in
>; mozilla-dev-security-
pol...@lists.mozilla.org
Subject: RE: Misissued/Suspicious Symantec Certificates
The listed Symantec certificates were issued by one of our WebTrust
audited
partners. We have reduced this partner's privileges to restrict further
issuance while we review this matte
e-
From: dev-security-policy [mailto:dev-security-policy-
bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Steve
Medin
Sent: Saturday, January 21, 2017 9:35 AM
To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security-
pol...@lists.mozilla.org
Subject: RE: Misissu
Saturday, January 21, 2017 9:35 AM
> > To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security-
> > pol...@lists.mozilla.org
> > Subject: RE: Misissued/Suspicious Symantec Certificates
> >
> > The listed Symantec certificates were issued by one of our WebTrust
> audited
&
On Thursday, January 26, 2017 at 9:27:52 PM UTC-8, Steve Medin wrote:
> Here is an attached PDF update regarding this certificate problem report.
>
> Kind regards,
> Steven Medin
> PKI Policy Manager, Symantec Corporation
>
The PDF file provided by Steven has been attached to this bug:
On Behalf Of Steve
> Medin
> Sent: Saturday, January 21, 2017 9:35 AM
> To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: RE: Misissued/Suspicious Symantec Certificates
>
> The listed Symantec certificates were issued by one of
Steve,
Have you had a chance to review these questions? Considering that these are
all about existing practices, and as a CA should be readily available and
easy to answer, I'm hoping you can reply by end of day.
Please consider this a formal request from Google as part of investigating
this
Hi Hanno,
On Tue, 24 Jan 2017 10:38:01 +0100
Hanno B__ck wrote:
> Hello,
>
> I have a few observations to share about this incident, not sure how
> relevant they are.
Thanks for sharing these. I found them interesting.
> There are 4 "example.com" certificates related to
Hello,
I have a few observations to share about this incident, not sure how
relevant they are.
There are 4 "example.com" certificates related to this incident.
There are 114 "O=test" certificates that I assume are related to this
incident. This includes all certificates with a "Not Before" date
Steve,
While I understand that your investigation is ongoing, this does seem
extremely similar, if not identical, to Symantec's previous misissuance.
In that previous incident, Symantec took a number of steps - beginning with
reportedly immediately terminating the employees responsible and then
hursday, January 19, 2017 4:46 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Misissued/Suspicious Symantec Certificates
>
> I. Misissued certificates for example.com
>
> On 2016-07-14, Symantec misissued the following certificates for
> example.com:
On Thursday, 19 January 2017 21:46:38 UTC, Andrew Ayer wrote:
> 2. The third certificate in the list above contains a SAN for
> DNS:*.crosscert.com - note that three of the misissued example.com
> certificates contain "Crosscert" in their Subject Organization.
Crosscert aka Korea Electronic
policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Andrew Ayer
> Sent: Thursday, January 19, 2017 4:46 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Misissued/Suspicious Symantec Certificates
>
> I. Misissued c
I. Misissued certificates for example.com
On 2016-07-14, Symantec misissued the following certificates for example.com:
https://crt.sh/?sha256=A8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B9024A9B9DC3C4C6
54 matches
Mail list logo