RE: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread Steve Medin via dev-security-policy
Our third response to questions, including these two below, is posted at Bugzilla, and directly at https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Friday, February 17, 2017 6:54 PM To: Ryan Sleevi Cc:

RE: Intermediates Supporting Many EE Certs

2017-02-13 Thread Steve Medin via dev-security-policy
rmediates Supporting Many EE Certs > > On 13/02/2017 18:25, Ryan Sleevi via dev-security-policy wrote: > > On Mon, Feb 13, 2017 at 8:17 AM, Steve Medin via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> Getting all user

RE: Intermediates Supporting Many EE Certs

2017-02-14 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Nick > Lamb via dev-security-policy > Sent: Tuesday, February 14, 2017 12:14 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: Misissued/Suspicious Symantec Certificates

2017-02-12 Thread Steve Medin via dev-security-policy
A response is now available in Bugzilla 1334377 and directly at: https://bugzilla.mozilla.org/attachment.cgi?id=8836487 > -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, February 09, 2017 4:56 AM > To: Steve Medin ;

RE: Intermediates Supporting Many EE Certs

2017-02-14 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Nick > Lamb via dev-security-policy > Sent: Monday, February 13, 2017 6:37 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re:

RE: Intermediates Supporting Many EE Certs

2017-02-14 Thread Steve Medin via dev-security-policy
Top comments for readability. - IT professionals, server administrators, are humans, often overworked, who need care, assistance, and attention. In my past version, I offered helpdesk to helpdesk support and lost business that demanded helpdesk to end user server admin. -

RE: Intermediates Supporting Many EE Certs

2017-02-13 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Monday, February 13, 2017 7:23 AM > To: mozilla-dev-security-pol...@lists.mozilla.org >

Symantec Response B

2017-04-10 Thread Steve Medin via dev-security-policy
Issue B: 1024-bit Certificate Issued Directly From Root (Dec 2013 - Jan 2014) The customer in question informed us of an issue in December 2013 that threatened to seriously disrupt their primary business, and they sought our assistance. The customer's non-browser implementation required a

Symantec Response H

2017-04-10 Thread Steve Medin via dev-security-policy
Issue H: SHA-1 Issuance After Deadline (January 2016) With respect to Issue H, Symantec has no additional comments regarding the perspective outlined in the summary. Please see https://cabforum.org/pipermail/public/2016-January/006519.html for further detail on Symantec's previous commentary

Symantec Response E

2017-04-10 Thread Steve Medin via dev-security-policy
Issue E: Domain Validation Vulnerability (October 2015) With respect to Issue E, Symantec has no additional comments regarding the perspective outlined in the summary. Please see

Symantec Response Q

2017-04-10 Thread Steve Medin via dev-security-policy
Issue Q: Symantec Audit Issues 2016 (December 2015 - November 2016) In our 2014-2015 audits, certain issues were identified that we promptly took action on, including addressing the test certificate incident. We continued these efforts until the Point in Time audit was conducted. We split the

Symantec Response N

2017-04-10 Thread Steve Medin via dev-security-policy
Issue N: Premature Manual Signing Using SHA-1 (July 2016) This matter represents the first time any CA attempted to follow the exception process which was developed over the course of weeks, beginning at the Bilbao CABF face-to-face meeting in May 2016, and with the input of our partners.

Symantec Response L

2017-04-10 Thread Steve Medin via dev-security-policy
Issue L: Cross-Signing the US Federal Bridge (February 2011 - July 2016) Symantec, as well as VeriSign, has participated in the FPKI since 2006, and we take our responsibility as a participant of this program very seriously. When Symantec began participating in FPKI, FPKI rules required two-way

Symantec Response P

2017-04-10 Thread Steve Medin via dev-security-policy
Issue P: UniCredit Sub CA Failing To Follow BRs (April - October 2016) We are committed to keeping our customers, partners and ecosystem informed and taking action when necessary. We recognize that there are issues we are accountable for, such as our March 2016 CA Communication response

Symantec Response V

2017-04-10 Thread Steve Medin via dev-security-policy
Issue V: RA Program Audit Issues (2013 or earlier - January 2017) Symantec has had two different programs that involve delegated third parties associated with publicly trusted TLS and subject to third-party audits: our GeoRoot program and our RA/Affiliate program. GeoRoot refers to our program

Symantec Response R

2017-04-10 Thread Steve Medin via dev-security-policy
Issue R: Insecure Issuance API (2013 or earlier - November 2016) In April 2015, security consultant Chris Byrne responsibly disclosed two potential vulnerabilities related to our Quick Invite feature, which enables a reseller to invite pre-selected customers to enroll for certificates, via

Symantec Response T

2017-04-10 Thread Steve Medin via dev-security-policy
Issue T: RA Program Misissuances (January 2010 - January 2017) Program Background: Symantec has operated an RA program designed to deliver a superior customer experience in global markets where language skills, understanding of local business requirements, and physical local presence are

Symantec Response X

2017-04-10 Thread Steve Medin via dev-security-policy
Issue X: Incomplete RA Program Remediation (February - March 2017) The only Symantec RAs capable of authorizing and issuing publicly trusted SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur. Symantec continues to maintain a partner program for non-TLS certificates.

RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
Gerv, In the interest of an easy to read set of responses to your questions and many submitted in response to our recent posts, we have prepared a PDF and attached it to the Bugzilla tracking this discussion. That PDF is available at https://bugzilla.mozilla.org/attachment.cgi?id=8860216. >

RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, April 13, 2017 9:13 AM > To: Steve Medin ; Rick Andrews > ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: [EXT] Re: Questions for

RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Tuesday, April 11, 2017 6:42 AM > To: Steve Medin ; Rick Andrews > ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: [EXT] Re: Questions for

RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Tuesday, April 04, 2017 9:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: Symantec: Next Steps

2017-03-09 Thread Steve Medin via dev-security-policy
In the case of CrossCert, where we have evidence of failure to properly document their work, we are NOT relying on their previous work and have begun fully revalidating all active certificates. In the cases of the other 3 RAs, our focus is reviewing all of the work previously done to verify

RE: Misissued/Suspicious Symantec Certificates

2017-03-03 Thread Steve Medin via dev-security-policy
dit Letter(s) used for each RA partner since the acquisition by Symantec of the VeriSign Trust Services business in 2010. On Fri, Feb 17, 2017 at 8:32 PM, Steve Medin via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>&g

RE: [FORGED] Criticism of Mozilla Re: Google Trust Services roots

2017-03-10 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Peter > Gutmann via dev-security-policy > Sent: Friday, March 10, 2017 4:15 AM > To: Gervase Markham ; Peter Kurrasch >

Re: Symantec Update on SubCA Proposal

2017-08-11 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Devon O'Brien via dev-security-policy > Sent: Wednesday, August 09, 2017 12:24 PM > To: mozilla-dev-security-pol...@lists.mozilla.org >

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-18 Thread Steve Medin via dev-security-policy
age- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Steve Medin via dev-security-policy > Sent: Tuesday, July 18, 2017 2:23 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT] Sym

Symantec Update on SubCA Proposal

2017-07-18 Thread Steve Medin via dev-security-policy
*Progress Update on SubCA RFP, Partner Selection, and Execution* Since June 1, Symantec has worked in earnest to operationalize the SubCA proposal outlined by Google and Mozilla and discussed in community forums. The core of this proposal is to transfer the authentication and issuance of

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Jakob Bohm via dev-security-policy > Sent: Tuesday, July 18, 2017 4:39 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re:

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > David E. Ross via dev-security-policy > Sent: Wednesday, July 19, 2017 12:48 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
1) December 1, 2017 is the earliest credible date that any RFP respondent can provide the Managed CA solution proposed by Google, assuming a start date of August 1, 2017. Only one RFP respondent initially proposed a schedule targeting August 8, 2017 (assuming a start date of June 12,

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
...@konklone.com] Sent: Wednesday, July 19, 2017 3:43 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [EXT] Symantec Update on SubCA Proposal On Wed, Jul 19, 2017 at 11:31 AM, Steve Medin via dev-security-policy <dev-securi

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Jakob Bohm via dev-security-policy > Sent: Wednesday, July 19, 2017 12:22 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re:

RE: Symantec Conclusions and Next Steps

2017-04-26 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, April 21, 2017 6:17 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Re: Symantec: Draft Proposal

2017-05-02 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > wizard--- via dev-security-policy > Sent: Tuesday, May 02, 2017 7:10 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT]

RE: [EXT] Symantec: Draft Proposal

2017-05-02 Thread Steve Medin via dev-security-policy
Gerv- Thank you for the thoughtful analysis. We are reviewing and intend to respond to your latest proposal shortly. > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via

RE: [EXT] Re: Draft further questions for Symantec

2017-05-15 Thread Steve Medin via dev-security-policy
Replacement link: https://bugzilla.mozilla.org/attachment.cgi?id=8867892 Sorry, I had the PDF cached. > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > urijah--- via dev-security-policy >

RE: [EXT] Re: Draft further questions for Symantec

2017-05-15 Thread Steve Medin via dev-security-policy
Gerv, Our response to the recent questions is posted at: https://bugzilla.mozilla.org/attachment.cgi?id=8867735 Kind regards, Steve > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase

RE: [EXT] Re: Symantec Conclusions and Next Steps

2017-05-15 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Ryan > Sleevi via dev-security-policy > Sent: Tuesday, April 25, 2017 6:50 PM > To: Ryan Sleevi > Cc:

RE: [EXT] Symantec: Draft Proposal

2017-05-15 Thread Steve Medin via dev-security-policy
Symantec logs TLS server certificates that are intended to be trusted by Chrome to Certificate Transparency logs. Symantec does not systematically log other certificate types to CT, including Class 1, Class 2 and other types of user certificates. The Adobe Approved Trust List intermediate CA

RE: [EXT] Mozilla requirements of Symantec

2017-06-12 Thread Steve Medin via dev-security-policy
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Wednesday, June 07, 2017 2:51 PM > To: Steve Medin ; mozilla-dev-security- > pol...@lists.mozilla.org > Cc: Kathleen Wilson > Subject: [EXT] Mozilla requirements

RE: [EXT] Google Plan for Symantec posted

2017-05-19 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, May 19, 2017 11:42 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Symantec response to Google proposal

2017-06-02 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, June 02, 2017 10:54 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Symantec: Draft Proposal

2017-05-04 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Monday, May 01, 2017 10:16 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Re: DigiCert-Symantec Announcement

2017-09-01 Thread Steve Medin via dev-security-policy
We are not making any changes at this time. > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Adrian R. via dev-security-policy > Sent: Friday, September 01, 2017 4:09 AM > To:

RE: CA generated keys

2017-12-11 Thread Steve Medin via dev-security-policy
Loosen the interpretation of escrow from a box surrounded by KRAs, KROs, and access controls with a rolling LTSK and escrow could describe what many white glove and CDN tier hosting operations do. The CDN has written consent, but the end customer never touches the TLS cert. > -Original