Re: Symantec Response P
On 2017-04-10 16:57, Steve Medin wrote: Because our customers are our top priority, we attempted to minimize business disruption I think you have your top priority wrong, and this seems to be a reoccurring reason why you do things. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response P
Hi Steve, Quick questions: 1) Why was Symantec unable to operate the CRL service for Unicredit? 2) Pursuant to Section 5.7.1 of the Baseline Requirements, Symantec, and all of its sub-CAs, are required to document business continuity and disaster recovery procedures. Had Unicredit been operating according to the Baseline Requirements, it would have documented such a plan for review. a) What are Symantec's conditions for activating this plan for Symantec? b) How regular do you test this plan for Symantec? c) What requirements do you have regarding awareness and education? 3) Symantec was only permitted to not revoke this subordinate, pursuant with the Baseline Requirements, Section 4.9.1.2, Item 8 if and only if the Issuing CA (Symantec) has made arrangements to continue maintaining the CRL/OCSP repository? a) Can Symantec clarify what it believes is permitted and not permitted under their interpretation of this section? b) Please specifically document what arrangements were made, if any, - such as providing contracts and agreements. c) Please specifically document what steps Symantec took, if any, to ensure those requirements were met? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Symantec Response P
Issue P: UniCredit Sub CA Failing To Follow BRs (April - October 2016) We are committed to keeping our customers, partners and ecosystem informed and taking action when necessary. We recognize that there are issues we are accountable for, such as our March 2016 CA Communication response indicating we had disclosed all subordinate CAs. The omission of UniCredit was an oversight, it should have been disclosed as part of this March 2016 response. However, we were taking appropriate actions to address the underlying compliance issues. We worked with UniCredit over a long period of time to enforce their compliance with audit requirements. In July 2016, we received an assessment that did not meet WebTrust audit standards. We then took action, helping UniCredit transition to a managed PKI solution for their certificate needs that did not require an audit. In parallel, we notified them of termination of their subordinate CA. Because our customers are our top priority, we attempted to minimize business disruption while they transitioned by permitting UniCredit to operate only its CRL service until November 30, 2016, at which point we would revoke the UniCredit subordinate CA. In October 2016, UniCredit issued one new certificate in violation of the terms of that transition plan. Following that, Symantec promptly revoked the UniCredit subordinate CA on October 18, 2016. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy