RE: Misissued/Suspicious Symantec Certificates

2017-03-03 Thread Steve Medin via dev-security-policy
[mailto:r...@sleevi.com] Sent: Wednesday, February 22, 2017 11:33 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com; Gervase Markham <g...@mozilla.org> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Tha

Re: Misissued/Suspicious Symantec Certificates

2017-03-01 Thread Martin Heaps via dev-security-policy
On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote: > WebTrust for Certification Authorities , SSL > BaselinewithNetwork Security, Version 2.0,available > at > http://www.webtrust.org/homepage‐documents/item79806.pdf. 404 - File

Re: Misissued/Suspicious Symantec Certificates

2017-02-28 Thread Santhan Raj via dev-security-policy
On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote: > "auditing standards that underlie the accepted audit schemes found in > Section 8.1" > > This is obviously a error in the BRs. That language is taken from > Section 8.1 and there is no list of schemes in 8.1. > > 8.4 does

Re: Misissued/Suspicious Symantec Certificates

2017-02-28 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 24, 2017 at 4:51 PM, Ryan Sleevi wrote: > > > On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote: > >> Hi Steve, >> >> Thanks for your continued attention to this matter. Your responses open >> many new and important questions and which give serious

Re: Misissued/Suspicious Symantec Certificates

2017-02-24 Thread Peter Bowen via dev-security-policy
"auditing standards that underlie the accepted audit schemes found in Section 8.1" This is obviously a error in the BRs. That language is taken from Section 8.1 and there is no list of schemes in 8.1. 8.4 does have a list of schemes: 1. WebTrust for Certification Authorities v2.0; 2. A national

Re: Misissued/Suspicious Symantec Certificates

2017-02-24 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote: > Hi Steve, > > Thanks for your continued attention to this matter. Your responses open > many new and important questions and which give serious question as to > whether the proposed remediations are sufficient. To keep this

Re: Misissued/Suspicious Symantec Certificates

2017-02-22 Thread Jeremy Rowley via dev-security-policy
I am aware of the requirements but am interested in seeing how an RA that doesn't have their own issuing cert structures the audit report. It probably looks the same, but I've never seen one (unless that is the case with the previously provided audit report). On Feb 22, 2017, at 8:48 PM, Ryan

Re: Misissued/Suspicious Symantec Certificates

2017-02-22 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley wrote: > Webtrust doesn't have audit criteria for RAs so the audit request may > produce interesting results. Or are you asking for the audit statement > covering the root that the RA used to issue from? That should all

Re: Misissued/Suspicious Symantec Certificates

2017-02-22 Thread Jeremy Rowley via dev-security-policy
ments.org/attachment.cgi?id=8838825. >> >> >> >> >> >> From: Ryan Sleevi [mailto:r...@sleevi.com] >> Sent: Friday, February 17, 2017 6:54 PM >> To: Ryan Sleevi <r...@sleevi.com> >> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-s

Re: Misissued/Suspicious Symantec Certificates

2017-02-22 Thread Ryan Sleevi via dev-security-policy
m> > Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@ > lists.mozilla.org; Steve Medin <steve_me...@symantec.com> > Subject: Re: Misissued/Suspicious Symantec Certificates > > > > Hi Steve, > > > > Two more question to add to the li

RE: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Steve Medin via dev-security-policy
gt; Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org; Steve Medin <steve_me...@symantec.com> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Two more question to add to the list which is already pending: In [1], in response to qu

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote: > On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > > > On Friday, February

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > > I have confirmed with CPA >

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > I have confirmed with CPA > > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > > licensed WebTrust practitioner, as indicated

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > I have confirmed with CPA > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > licensed WebTrust practitioner, as indicated at [4]. > > [4] >

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Ryan Sleevi via dev-security-policy
Hi Steve, Two more question to add to the list which is already pending: In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter,

Re: Misissued/Suspicious Symantec Certificates

2017-02-13 Thread Ryan Sleevi via dev-security-policy
On Mon, Feb 13, 2017 at 4:48 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Steve, > > On 12/02/17 15:27, Steve Medin wrote: > > A response is now available in Bugzilla 1334377 and directly at: > >

Re: Misissued/Suspicious Symantec Certificates

2017-02-13 Thread Gervase Markham via dev-security-policy
Hi Steve, On 12/02/17 15:27, Steve Medin wrote: > A response is now available in Bugzilla 1334377 and directly at: > https://bugzilla.mozilla.org/attachment.cgi?id=8836487 Thank you for this timely response. Mozilla continues to expect answers to all reasonable and polite questions posed in our

Re: Misissued/Suspicious Symantec Certificates

2017-02-13 Thread Kurt Roeckx via dev-security-policy
So after reading this, the following auditors aren't trusted by Symantec anymore: - E Korea - E Brazil The following isn't trusted by Mozilla anymore: - E Hong Kong This seems to be a worrying trend to me. Kurt On 2017-02-12 20:25, Eric Mill wrote: Also relevant are Symantec's statements

Re: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Eric Mill via dev-security-policy
Also relevant are Symantec's statements about two E regional auditors. One section describes contradictions from E KR (Korea) in describing why some CrossCert issuing CAs were not in scope: • The list of CAs in the audit was produced by CrossCert and given to E KR as the scope to audit. It was

Re: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Nick Lamb via dev-security-policy
On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote: > A response is now available in Bugzilla 1334377 and directly at: > https://bugzilla.mozilla.org/attachment.cgi?id=8836487 Thanks for these responses Steve, I believe that Symantec's decision to terminate the RA Partner programme was

RE: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Steve Medin via dev-security-policy
c.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Cc: r...@sleevi.com > Subject: Re: Misissued/Suspicious Symantec Certificates > > On 09/02/17 03:07, Ryan Sleevi wrote: > > We appreciate your attention to these questions and will thoughtfully > > consi

Re: Misissued/Suspicious Symantec Certificates

2017-02-09 Thread Nick Lamb via dev-security-policy
On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote: > 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur > are the only Delegated Third Parties utilized by Symantec, across all > Symantec operated CAs that are trusted by Mozilla products? Maybe Ryan has better

Re: Misissued/Suspicious Symantec Certificates

2017-02-08 Thread Ryan Sleevi
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote: > On 31/01/17 04:51, Steve Medin wrote: > > Our response to questions up to January 27, 2017 has been posted as an > > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. > > Quoting that document: > >

Re: Misissued/Suspicious Symantec Certificates

2017-02-08 Thread Gervase Markham
On 05/02/17 09:47, Gervase Markham wrote: > On 05/02/17 06:20, Peter Gutmann wrote: >> That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the >> server is advertising. Hey, it would be pretty funny if the cert auditors' >> certs were broken, but it's just the browser

Re: Misissued/Suspicious Symantec Certificates

2017-02-07 Thread Gervase Markham
Hi Steve, On 31/01/17 03:51, Steve Medin wrote: > Our response to questions up to January 27, 2017 has been posted as an > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. It's now ten days later; are Symantec in a position to answer the next batch of questions, and also

Re: Misissued/Suspicious Symantec Certificates

2017-02-05 Thread Gervase Markham
On 05/02/17 06:20, Peter Gutmann wrote: > That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the > server is advertising. Hey, it would be pretty funny if the cert auditors' > certs were broken, but it's just the browser complaining about something else. That machine

Re: Misissued/Suspicious Symantec Certificates

2017-02-04 Thread Martin Heaps
As a side note to the main topic, I find it curious and a little disconcerting that the referred link to the E assessement of CrossCert, (outlined in Point 2 of "Additional Follow-ups") found on the document linked by Steve (here : https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038

Re: Misissued/Suspicious Symantec Certificates

2017-02-04 Thread Gervase Markham
On 04/02/17 14:32, Ryan Sleevi wrote: > Gerv, as the information Steve shared about their other RAs show, their > issues with RAs are not limited to CrossCert, unfortunately. Check out the > rest of the details included. Ouch. Thank you for drawing these to my attention; I had neglected to read

Re: Misissued/Suspicious Symantec Certificates

2017-02-04 Thread Ryan Sleevi
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote: > > 4) Is there any reliable programmatic way of determining, looking only > at the contents of the certificate or certificate chain, that a > certificate was issued by CrossCert personnel using their processes, as > opposed

Re: Misissued/Suspicious Symantec Certificates

2017-02-04 Thread Gervase Markham
On 31/01/17 04:51, Steve Medin wrote: > Our response to questions up to January 27, 2017 has been posted as an > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. Quoting that document: "Q: 4) In response to the previous incident, Symantec indicated it updated its internal

Re: Misissued/Suspicious Symantec Certificates

2017-01-31 Thread Jakob Bohm
Glad you also answered the key question I posted some time ago (the last one in the PDF). According to your answer it appears that the majority of problematic certificates were, to the WebPKI relying parties, correct and valid certificates that simply had the legal names of the certificate

RE: Misissued/Suspicious Symantec Certificates

2017-01-30 Thread Steve Medin
e>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Misissued/Suspicious Symantec Certificates Steve, As captured in our private mail exchange last week, Symantec's report fails to meaningfully address each or any of the questions I raised. Google considers it of utmost urg

Re: Misissued/Suspicious Symantec Certificates

2017-01-30 Thread Nick Lamb
On Monday, 30 January 2017 17:52:34 UTC, Andrew Ayer wrote: > I would appreciate confirmation from Steve, but note that dev119money.com > is not currently a registered domain name. Ah yes, none of the names on that certificate currently exist in the Internet DNS: devhkhouse.co.kr and

Re: Misissued/Suspicious Symantec Certificates

2017-01-30 Thread Andrew Ayer
On Fri, 27 Jan 2017 09:43:00 -0800 (PST) Nick Lamb wrote: > On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote: > > * It's not clear what the problem is with the issuance in category > > F. I don't see any mention of "dev119money.com" in Andrew's initial > >

Re: Misissued/Suspicious Symantec Certificates

2017-01-30 Thread Gervase Markham
On 30/01/17 12:51, Nick Lamb wrote: > CrossCert Certification Practice Statement Version 3.8.8 Effective > Date: JUNE 29, 2012 That date is interesting. The BRs require CPSes to be revised yearly. > "End-user Subscriber Certificates contain an X.501 distinguished name > in the Subject name field

Re: Misissued/Suspicious Symantec Certificates

2017-01-30 Thread Nick Lamb
On Monday, 30 January 2017 11:10:00 UTC, Gervase Markham wrote: > Could you point is at the parts of the CPS or other documents which led > you to that belief? I examined a great many documents since Andrew's initial report. I think the document which originally caused me to form this incorrect

Re: Misissued/Suspicious Symantec Certificates

2017-01-30 Thread Gervase Markham
Hi Nick, On 29/01/17 12:39, Nick Lamb wrote: > 2. It had been my assumption, based on the CPS and other documents, > that CrossCert was restricted in their use of Symantec's issuance > function to C=KR Could you point is at the parts of the CPS or other documents which led you to that belief?

Re: Misissued/Suspicious Symantec Certificates

2017-01-29 Thread Nick Lamb
On Sunday, 29 January 2017 02:28:53 UTC, Steve Medin wrote: > We completed our investigation of these 12 certificates by requesting > archived documentation. CrossCert was unable to produce documentation to > prove their validation as required under BR 5.4.1. We revoked all 12 > certificates

RE: Misissued/Suspicious Symantec Certificates

2017-01-28 Thread Steve Medin
Symantec's auditors, KPMG, completed a scan of CrossCert certificates to detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST, KPMG provided a report that listed 12 problem certificates that were not in Andrew Ayer's report. We began an investigation into that certificate

Re: Misissued/Suspicious Symantec Certificates

2017-01-27 Thread Nick Lamb
On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote: > * It's not clear what the problem is with the issuance in category F. I > don't see any mention of "dev119money.com" in Andrew's initial report. > Can you explain (and provide a crt.sh link)? https://crt.sh/?id=48539119 appears to

Re: Misissued/Suspicious Symantec Certificates

2017-01-27 Thread Gervase Markham
Hi Steve, On 27/01/17 01:30, Steve Medin wrote: > Here is an attached PDF update regarding this certificate problem report. Thanks for the update. Here are some questions: * It's not clear what the problem is with the issuance in category F. I don't see any mention of "dev119money.com" in

Re: Misissued/Suspicious Symantec Certificates

2017-01-26 Thread Jakob Bohm
>; mozilla-dev-security- pol...@lists.mozilla.org Subject: RE: Misissued/Suspicious Symantec Certificates The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matte

Re: Misissued/Suspicious Symantec Certificates

2017-01-26 Thread Jakob Bohm
e- From: dev-security-policy [mailto:dev-security-policy- bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Steve Medin Sent: Saturday, January 21, 2017 9:35 AM To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security- pol...@lists.mozilla.org Subject: RE: Misissu

Re: Misissued/Suspicious Symantec Certificates

2017-01-26 Thread Ryan Sleevi
Saturday, January 21, 2017 9:35 AM > > To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security- > > pol...@lists.mozilla.org > > Subject: RE: Misissued/Suspicious Symantec Certificates > > > > The listed Symantec certificates were issued by one of our WebTrust > audited &

Re: Misissued/Suspicious Symantec Certificates

2017-01-26 Thread Kathleen Wilson
On Thursday, January 26, 2017 at 9:27:52 PM UTC-8, Steve Medin wrote: > Here is an attached PDF update regarding this certificate problem report. > > Kind regards, > Steven Medin > PKI Policy Manager, Symantec Corporation > The PDF file provided by Steven has been attached to this bug:

RE: Misissued/Suspicious Symantec Certificates

2017-01-26 Thread Steve Medin
On Behalf Of Steve > Medin > Sent: Saturday, January 21, 2017 9:35 AM > To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: RE: Misissued/Suspicious Symantec Certificates > > The listed Symantec certificates were issued by one of

Re: Misissued/Suspicious Symantec Certificates

2017-01-26 Thread Ryan Sleevi
Steve, Have you had a chance to review these questions? Considering that these are all about existing practices, and as a CA should be readily available and easy to answer, I'm hoping you can reply by end of day. Please consider this a formal request from Google as part of investigating this

Re: Misissued/Suspicious Symantec Certificates

2017-01-24 Thread Andrew Ayer
Hi Hanno, On Tue, 24 Jan 2017 10:38:01 +0100 Hanno B__ck wrote: > Hello, > > I have a few observations to share about this incident, not sure how > relevant they are. Thanks for sharing these. I found them interesting. > There are 4 "example.com" certificates related to

Re: Misissued/Suspicious Symantec Certificates

2017-01-24 Thread Hanno Böck
Hello, I have a few observations to share about this incident, not sure how relevant they are. There are 4 "example.com" certificates related to this incident. There are 114 "O=test" certificates that I assume are related to this incident. This includes all certificates with a "Not Before" date

Re: Misissued/Suspicious Symantec Certificates

2017-01-23 Thread Ryan Sleevi
Steve, While I understand that your investigation is ongoing, this does seem extremely similar, if not identical, to Symantec's previous misissuance. In that previous incident, Symantec took a number of steps - beginning with reportedly immediately terminating the employees responsible and then

RE: Misissued/Suspicious Symantec Certificates

2017-01-21 Thread Steve Medin
hursday, January 19, 2017 4:46 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Misissued/Suspicious Symantec Certificates > > I. Misissued certificates for example.com > > On 2016-07-14, Symantec misissued the following certificates for > example.com:

Re: Misissued/Suspicious Symantec Certificates

2017-01-21 Thread Nick Lamb
On Thursday, 19 January 2017 21:46:38 UTC, Andrew Ayer wrote: > 2. The third certificate in the list above contains a SAN for > DNS:*.crosscert.com - note that three of the misissued example.com > certificates contain "Crosscert" in their Subject Organization. Crosscert aka Korea Electronic

RE: Misissued/Suspicious Symantec Certificates

2017-01-19 Thread Steve Medin
policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Andrew Ayer > Sent: Thursday, January 19, 2017 4:46 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Misissued/Suspicious Symantec Certificates > > I. Misissued c

Misissued/Suspicious Symantec Certificates

2017-01-19 Thread Andrew Ayer
I. Misissued certificates for example.com On 2016-07-14, Symantec misissued the following certificates for example.com: https://crt.sh/?sha256=A8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B9024A9B9DC3C4C6