Re: Google's past discussions with Symantec
Note that according to the below post, the one thing Symantec has not decided to obey Google on is a request to completely stop operating as a CA, except in name and a few minor related aspects. This was the final, microscopic, out offered to WoSign after they completely and deliberately deceived the root programs about their compliance and operations. I believe Symantec/Verisign's situation is less dire, as their is no known issue of deliberate deception. As such, and out of respect for them being the original CA that predate all the other global CAs, something less drastic should be allowed. It should also be noted that according to the wiki page at https://wiki.mozilla.org/CA:Symantec_Issues none of the known issues seem to involve EV certificates, thus making Google's proposal to remove EV trust for all Symantec-issued EV certs issued from appropriate EV SubCAs seem punitive rather than fact-based. On 27/04/2017 16:59, Ryan Sleevi wrote: (Wearing a Google Hat, if only to share what has transpired) Symantec has recently shared in https://www.symantec.com/ connect/blogs/symantec-ca-proposal , as well as https://groups.google.com/d/ msg/mozilla.dev.security.policy/LRvzF2ZPyeM/OpvBXviOAQAJ , a plan for what they believe is an appropriate resolution to the many grave and serious security issues they've introduced into the Web Ecosystem. While the community should certainly judge Symantec's proposal on its merits, as to whether or not it demonstrates a basic understanding of the issues and whether or not it provides any meaningful steps that were not already expected of them, as a trusted CA, it is useful to understand what has transpired over the past two weeks. As noted in https://groups.google.com/a/chromium.org/d/msg/blink- dev/eUAKwjihhBs/IIvNKEdHDQAJ , at the beginning of this month, the Chrome team met with Symantec's leadership to personally discuss and explains the issues and concerns raised, despite having been in communication with Symantec over these issues for months. As the number of issues that Symantec has had was so great, we were unable to provide our perspective of the many failures and the concerns that they signaled, and thus, a second meeting was scheduled, as mentioned in https://groups.google.com/a/ chromium.org/d/msg/blink-dev/eUAKwjihhBs/PodHs8n5BAAJ In both of these meetings, and in the following e-mail exchanges, we stressed to Symantec the nature of the issues: issues with the infrastructure, issues with oversight, and issues with audits. These issues involved not just RAs, but Symantec's employees, whether those responsible for issuing certificates or those who are tasked with overseeing the security and compliance of the process itself. In particular, during these discussions, we explained our perspective of audits to Symantec. For example, we discussed the ways in which audits were insufficient to demonstrate security - that is, a clean audit does not demonstrate that an organization takes security seriously or that they have meaningfully addressed concerns. We discussed the ways in which audits were able to be 'gamed' by an organization, such as through limiting the scope of the audit to only a subset of the activities, such as validation activities, as a way of avoiding disclosure of the more fundamental security failures. We stressed that, more than clean audits, we value the transparency and timeliness of an organization in responding to issues in a way that fully resolves the issue. We shared with Symantec how their competitors - organizations such as GoDaddy and DigiCert - have provided excellent examples for fully responding to issues in a responsible, timely, and complete manner, even when it may be disruptive to their customers. While an incident happening is not ideal, by responding in a way that is beyond reproach, these CAs have demonstrated an awareness of the security and ecosystem implications. More importantly, it demonstrates how their competitors have respected the Baseline Requirements, particularly around the requirement to revoke certificates that the CA is made aware of not having been issued in accordance with their CP/CPS, even if no misleading information is present. We shared this with the hope of encouraging Symantec to take a thoughtful approach in their proposal and to understand what is expected of them. We shared how Google has responded to past CA failures - organizations like DigiNotar, which downplayed the security implications to their customers and found themselves summarily and permanently revoked, organizations like WoSign, which mislead the web community while actively and knowingly engaging in prohibited behaviours, and the seriousness of issuing or failing to supervise subordinate CAs, which places all users - not just their customers - at risk. We highlighted the clear and undisputed evidence that Symantec's issues - https://wiki.mozilla.org/CA:Symantec_Issues - extend well beyond the RA certificates, and raise concer
Google's past discussions with Symantec
(Wearing a Google Hat, if only to share what has transpired) Symantec has recently shared in https://www.symantec.com/ connect/blogs/symantec-ca-proposal , as well as https://groups.google.com/d/ msg/mozilla.dev.security.policy/LRvzF2ZPyeM/OpvBXviOAQAJ , a plan for what they believe is an appropriate resolution to the many grave and serious security issues they've introduced into the Web Ecosystem. While the community should certainly judge Symantec's proposal on its merits, as to whether or not it demonstrates a basic understanding of the issues and whether or not it provides any meaningful steps that were not already expected of them, as a trusted CA, it is useful to understand what has transpired over the past two weeks. As noted in https://groups.google.com/a/chromium.org/d/msg/blink- dev/eUAKwjihhBs/IIvNKEdHDQAJ , at the beginning of this month, the Chrome team met with Symantec's leadership to personally discuss and explains the issues and concerns raised, despite having been in communication with Symantec over these issues for months. As the number of issues that Symantec has had was so great, we were unable to provide our perspective of the many failures and the concerns that they signaled, and thus, a second meeting was scheduled, as mentioned in https://groups.google.com/a/ chromium.org/d/msg/blink-dev/eUAKwjihhBs/PodHs8n5BAAJ In both of these meetings, and in the following e-mail exchanges, we stressed to Symantec the nature of the issues: issues with the infrastructure, issues with oversight, and issues with audits. These issues involved not just RAs, but Symantec's employees, whether those responsible for issuing certificates or those who are tasked with overseeing the security and compliance of the process itself. In particular, during these discussions, we explained our perspective of audits to Symantec. For example, we discussed the ways in which audits were insufficient to demonstrate security - that is, a clean audit does not demonstrate that an organization takes security seriously or that they have meaningfully addressed concerns. We discussed the ways in which audits were able to be 'gamed' by an organization, such as through limiting the scope of the audit to only a subset of the activities, such as validation activities, as a way of avoiding disclosure of the more fundamental security failures. We stressed that, more than clean audits, we value the transparency and timeliness of an organization in responding to issues in a way that fully resolves the issue. We shared with Symantec how their competitors - organizations such as GoDaddy and DigiCert - have provided excellent examples for fully responding to issues in a responsible, timely, and complete manner, even when it may be disruptive to their customers. While an incident happening is not ideal, by responding in a way that is beyond reproach, these CAs have demonstrated an awareness of the security and ecosystem implications. More importantly, it demonstrates how their competitors have respected the Baseline Requirements, particularly around the requirement to revoke certificates that the CA is made aware of not having been issued in accordance with their CP/CPS, even if no misleading information is present. We shared this with the hope of encouraging Symantec to take a thoughtful approach in their proposal and to understand what is expected of them. We shared how Google has responded to past CA failures - organizations like DigiNotar, which downplayed the security implications to their customers and found themselves summarily and permanently revoked, organizations like WoSign, which mislead the web community while actively and knowingly engaging in prohibited behaviours, and the seriousness of issuing or failing to supervise subordinate CAs, which places all users - not just their customers - at risk. We highlighted the clear and undisputed evidence that Symantec's issues - https://wiki.mozilla.org/CA:Symantec_Issues - extend well beyond the RA certificates, and raise concerns about the conduct of their employees, the security of their infrastructure, their awareness of what they have issued, and their ability to effectively supervise it. Following these meetings, we offered Symantec advice on how to make an effective proposal that could objectively and meaningfully address the concerns raised, while minimizing the impact to their customers. This was done with the hope that they would use the opportunity to step up and raise to the level expected of them, and as clearly demonstrated through the incident responses of DigiCert, GoDaddy, and GlobalSign in the past month. By providing a meaningful proposal, particularly one that complied with the Baseline Requirements and the obligations upon all CAs, they would be able to demonstrate their understanding and awareness of these issues. Below is an excerpt of that message, shared with Symantec's CEO and CTO, sent on April 18. I've removed a few pieces from this, as it appears