Re: Google's past discussions with Symantec

2017-04-27 Thread Jakob Bohm via dev-security-policy

Note that according to the below post, the one thing Symantec has not
decided to obey Google on is a request to completely stop operating as
a CA, except in name and a few minor related aspects.

This was the final, microscopic, out offered to WoSign after they
completely and deliberately deceived the root programs about their
compliance and operations.

I believe Symantec/Verisign's situation is less dire, as their is no
known issue of deliberate deception.  As such, and out of respect for
them being the original CA that predate all the other global CAs,
something less drastic should be allowed.

It should also be noted that according to the wiki page at

  https://wiki.mozilla.org/CA:Symantec_Issues

none of the known issues seem to involve EV certificates, thus making
Google's proposal to remove EV trust for all Symantec-issued EV certs
issued from appropriate EV SubCAs seem punitive rather than fact-based.

On 27/04/2017 16:59, Ryan Sleevi wrote:

(Wearing a Google Hat, if only to share what has transpired)

Symantec has recently shared in https://www.symantec.com/
connect/blogs/symantec-ca-proposal , as well as https://groups.google.com/d/
msg/mozilla.dev.security.policy/LRvzF2ZPyeM/OpvBXviOAQAJ , a plan for what
they believe is an appropriate resolution to the many grave and serious
security issues they've introduced into the Web Ecosystem. While the
community should certainly judge Symantec's proposal on its merits, as to
whether or not it demonstrates a basic understanding of the issues and
whether or not it provides any meaningful steps that were not already
expected of them, as a trusted CA, it is useful to understand what has
transpired over the past two weeks.

As noted in https://groups.google.com/a/chromium.org/d/msg/blink-
dev/eUAKwjihhBs/IIvNKEdHDQAJ , at the beginning of this month, the Chrome
team met with Symantec's leadership to personally discuss and explains the
issues and concerns raised, despite having been in communication with
Symantec over these issues for months. As the number of issues that
Symantec has had was so great, we were unable to provide our perspective of
the many failures and the concerns that they signaled, and thus, a second
meeting was scheduled, as mentioned in https://groups.google.com/a/
chromium.org/d/msg/blink-dev/eUAKwjihhBs/PodHs8n5BAAJ

In both of these meetings, and in the following e-mail exchanges, we
stressed to Symantec the nature of the issues: issues with the
infrastructure, issues with oversight, and issues with audits. These issues
involved not just RAs, but Symantec's employees, whether those responsible
for issuing certificates or those who are tasked with overseeing the
security and compliance of the process itself.

In particular, during these discussions, we explained our perspective of
audits to Symantec. For example, we discussed the ways in which audits were
insufficient to demonstrate security - that is, a clean audit does not
demonstrate that an organization takes security seriously or that they have
meaningfully addressed concerns. We discussed the ways in which audits were
able to be 'gamed' by an organization, such as through limiting the scope
of the audit to only a subset of the activities, such as validation
activities, as a way of avoiding disclosure of the more fundamental
security failures. We stressed that, more than clean audits, we value the
transparency and timeliness of an organization in responding to issues in a
way that fully resolves the issue.

We shared with Symantec how their competitors - organizations such as
GoDaddy and DigiCert - have provided excellent examples for fully
responding to issues in a responsible, timely, and complete manner, even
when it may be disruptive to their customers. While an incident happening
is not ideal, by responding in a way that is beyond reproach, these CAs
have demonstrated an awareness of the security and ecosystem implications.
More importantly, it demonstrates how their competitors have respected the
Baseline Requirements, particularly around the requirement to revoke
certificates that the CA is made aware of not having been issued in
accordance with their CP/CPS, even if no misleading information is present.
We shared this with the hope of encouraging Symantec to take a thoughtful
approach in their proposal and to understand what is expected of them.

We shared how Google has responded to past CA failures - organizations like
DigiNotar, which downplayed the security implications to their customers
and found themselves summarily and permanently revoked, organizations like
WoSign, which mislead the web community while actively and knowingly
engaging in prohibited behaviours, and the seriousness of issuing or
failing to supervise subordinate CAs, which places all users - not just
their customers - at risk.

We highlighted the clear and undisputed evidence that Symantec's issues -
https://wiki.mozilla.org/CA:Symantec_Issues - extend well beyond the RA
certificates, and raise concer

Google's past discussions with Symantec

2017-04-27 Thread Ryan Sleevi via dev-security-policy
(Wearing a Google Hat, if only to share what has transpired)

Symantec has recently shared in https://www.symantec.com/
connect/blogs/symantec-ca-proposal , as well as https://groups.google.com/d/
msg/mozilla.dev.security.policy/LRvzF2ZPyeM/OpvBXviOAQAJ , a plan for what
they believe is an appropriate resolution to the many grave and serious
security issues they've introduced into the Web Ecosystem. While the
community should certainly judge Symantec's proposal on its merits, as to
whether or not it demonstrates a basic understanding of the issues and
whether or not it provides any meaningful steps that were not already
expected of them, as a trusted CA, it is useful to understand what has
transpired over the past two weeks.

As noted in https://groups.google.com/a/chromium.org/d/msg/blink-
dev/eUAKwjihhBs/IIvNKEdHDQAJ , at the beginning of this month, the Chrome
team met with Symantec's leadership to personally discuss and explains the
issues and concerns raised, despite having been in communication with
Symantec over these issues for months. As the number of issues that
Symantec has had was so great, we were unable to provide our perspective of
the many failures and the concerns that they signaled, and thus, a second
meeting was scheduled, as mentioned in https://groups.google.com/a/
chromium.org/d/msg/blink-dev/eUAKwjihhBs/PodHs8n5BAAJ

In both of these meetings, and in the following e-mail exchanges, we
stressed to Symantec the nature of the issues: issues with the
infrastructure, issues with oversight, and issues with audits. These issues
involved not just RAs, but Symantec's employees, whether those responsible
for issuing certificates or those who are tasked with overseeing the
security and compliance of the process itself.

In particular, during these discussions, we explained our perspective of
audits to Symantec. For example, we discussed the ways in which audits were
insufficient to demonstrate security - that is, a clean audit does not
demonstrate that an organization takes security seriously or that they have
meaningfully addressed concerns. We discussed the ways in which audits were
able to be 'gamed' by an organization, such as through limiting the scope
of the audit to only a subset of the activities, such as validation
activities, as a way of avoiding disclosure of the more fundamental
security failures. We stressed that, more than clean audits, we value the
transparency and timeliness of an organization in responding to issues in a
way that fully resolves the issue.

We shared with Symantec how their competitors - organizations such as
GoDaddy and DigiCert - have provided excellent examples for fully
responding to issues in a responsible, timely, and complete manner, even
when it may be disruptive to their customers. While an incident happening
is not ideal, by responding in a way that is beyond reproach, these CAs
have demonstrated an awareness of the security and ecosystem implications.
More importantly, it demonstrates how their competitors have respected the
Baseline Requirements, particularly around the requirement to revoke
certificates that the CA is made aware of not having been issued in
accordance with their CP/CPS, even if no misleading information is present.
We shared this with the hope of encouraging Symantec to take a thoughtful
approach in their proposal and to understand what is expected of them.

We shared how Google has responded to past CA failures - organizations like
DigiNotar, which downplayed the security implications to their customers
and found themselves summarily and permanently revoked, organizations like
WoSign, which mislead the web community while actively and knowingly
engaging in prohibited behaviours, and the seriousness of issuing or
failing to supervise subordinate CAs, which places all users - not just
their customers - at risk.

We highlighted the clear and undisputed evidence that Symantec's issues -
https://wiki.mozilla.org/CA:Symantec_Issues - extend well beyond the RA
certificates, and raise concerns about the conduct of their employees, the
security of their infrastructure, their awareness of what they have issued,
and their ability to effectively supervise it.

Following these meetings, we offered Symantec advice on how to make an
effective proposal that could objectively and meaningfully address the
concerns raised, while minimizing the impact to their customers. This was
done with the hope that they would use the opportunity to step up and raise
to the level expected of them, and as clearly demonstrated through the
incident responses of DigiCert, GoDaddy, and GlobalSign in the past month.
By providing a meaningful proposal, particularly one that complied with the
Baseline Requirements and the obligations upon all CAs, they would be able
to demonstrate their understanding and awareness of these issues.

Below is an excerpt of that message, shared with Symantec's CEO and CTO,
sent on April 18. I've removed a few pieces from this, as it appears