[mailto:r...@sleevi.com]
Sent: Wednesday, February 22, 2017 11:33 PM
To: Steve Medin
Cc: mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com; Gervase
Markham
Subject: Re: Misissued/Suspicious Symantec Certificates
Hi Steve,
Thanks for your continued attention to this matter. Your
On 2017-03-01T12:22:32-0800, "Martin Heaps via dev-security-policy"
wrote:
> On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote:
>
> > WebTrustfor Certification Authorities , SSL
> > BaselinewithNetwork Security, Version 2.0,available
>
On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote:
> WebTrust for Certification Authorities , SSL
> BaselinewithNetwork Security, Version 2.0,available
> at
> http://www.webtrust.org/homepage‐documents/item79806.pdf.
404 - File or
On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote:
> "auditing standards that underlie the accepted audit schemes found in
> Section 8.1"
>
> This is obviously a error in the BRs. That language is taken from
> Section 8.1 and there is no list of schemes in 8.1.
>
> 8.4 does hav
On Fri, Feb 24, 2017 at 4:51 PM, Ryan Sleevi wrote:
>
>
> On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote:
>
>> Hi Steve,
>>
>> Thanks for your continued attention to this matter. Your responses open
>> many new and important questions and which give serious question as to
>> whether the prop
"auditing standards that underlie the accepted audit schemes found in
Section 8.1"
This is obviously a error in the BRs. That language is taken from
Section 8.1 and there is no list of schemes in 8.1.
8.4 does have a list of schemes:
1. WebTrust for Certification Authorities v2.0;
2. A national
On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote:
> Hi Steve,
>
> Thanks for your continued attention to this matter. Your responses open
> many new and important questions and which give serious question as to
> whether the proposed remediations are sufficient. To keep this short, and
> thereb
I'm sorry, I'm still a little confused about how to understand your
response.
I can't tell if you're discussing in the abstract - as in, you don't know
how an Delegated Third Party would ever meet that definition, due to the
absence of "auditing standards that underlie the accepted audit schemes
f
I am aware of the requirements but am interested in seeing how an RA that
doesn't have their own issuing cert structures the audit report. It probably
looks the same, but I've never seen one (unless that is the case with the
previously provided audit report).
On Feb 22, 2017, at 8:48 PM, Ryan S
On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley
wrote:
> Webtrust doesn't have audit criteria for RAs so the audit request may
> produce interesting results. Or are you asking for the audit statement
> covering the root that the RA used to issue from? That should all be public
> in the Mozilla dat
>>
>>
>>
>>
>> From: Ryan Sleevi [mailto:r...@sleevi.com]
>> Sent: Friday, February 17, 2017 6:54 PM
>> To: Ryan Sleevi
>> Cc: Gervase Markham ; mozilla-dev-security-policy@
>> lists.mozilla.org; Steve Medin
>> Subje
vase Markham ; mozilla-dev-security-policy@
> lists.mozilla.org; Steve Medin
> Subject: Re: Misissued/Suspicious Symantec Certificates
>
>
>
> Hi Steve,
>
>
>
> Two more question to add to the list which is already pending:
>
>
>
> In [1], in response to questi
;
mozilla-dev-security-pol...@lists.mozilla.org; Steve Medin
Subject: Re: Misissued/Suspicious Symantec Certificates
Hi Steve,
Two more question to add to the list which is already pending:
In [1], in response to question 5, Symantec indicated that Certisign was a
WebTrust audited partner RA
On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote:
> On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> > > On Friday, February 17,
On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> > > I have confirmed with CPA
>
On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote:
> On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> > I have confirmed with CPA
> > Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> > licensed WebTrust practitioner, as indicated at
On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> I have confirmed with CPA
> Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> licensed WebTrust practitioner, as indicated at [4].
>
> [4]
> http://www.webtrust.org/licensed-webtrust-practitioners-internati
Hi Steve,
Two more question to add to the list which is already pending:
In [1], in response to question 5, Symantec indicated that Certisign was a
WebTrust audited partner RA, with [2] provided as evidence to this fact.
While we discussed the concerns with respect to the audit letter,
specifical
On Mon, Feb 13, 2017 at 4:48 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Steve,
>
> On 12/02/17 15:27, Steve Medin wrote:
> > A response is now available in Bugzilla 1334377 and directly at:
> > https://bugzilla.mozilla.org/attachment.cgi?id=883
Hi Steve,
On 12/02/17 15:27, Steve Medin wrote:
> A response is now available in Bugzilla 1334377 and directly at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8836487
Thank you for this timely response. Mozilla continues to expect answers
to all reasonable and polite questions posed in our f
On Monday, 13 February 2017 09:06:02 UTC, Kurt Roeckx wrote:
> This seems to be a worrying trend to me.
Almost certainly it would be wrong for us to look at these three data points
and conclude from them that the main problem is EY itself. Not to say they
can't do better, or be a key agent of c
Kurt Roeckx via dev-security-policy
writes:
>So after reading this, the following auditors aren't trusted by Symantec
>anymore:
>- E&Y Korea
>- E&Y Brazil
>
>The following isn't trusted by Mozilla anymore:
>- E&Y Hong Kong
>
>This seems to be a worrying trend to me.
It's OK, E&Y have offices in
So after reading this, the following auditors aren't trusted by Symantec
anymore:
- E&Y Korea
- E&Y Brazil
The following isn't trusted by Mozilla anymore:
- E&Y Hong Kong
This seems to be a worrying trend to me.
Kurt
On 2017-02-12 20:25, Eric Mill wrote:
Also relevant are Symantec's stateme
; > -Original Message-
> > From: Gervase Markham [mailto:g...@mozilla.org]
> > Sent: Thursday, February 09, 2017 4:56 AM
> > To: Steve Medin ; mozilla-dev-security-
> > pol...@lists.mozilla.org
> > Cc: r...@sleevi.com
> > Subject: Re: Misissued/Suspicious Sy
Also relevant are Symantec's statements about two E&Y regional auditors.
One section describes contradictions from E&Y KR (Korea) in describing why
some CrossCert issuing CAs were not in scope:
• The list of CAs in the audit was produced by CrossCert and given to E&Y
KR as the scope to audit. It
Though Nick's email implies the announcement, for the benefit of the list,
here's Symantec's introduction at the top of their response:
Based on our investigation of CrossCert, we have concerns due to (1)
demonstrated non-compliance with processes and controls, (2) assertions of
third party audito
On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote:
> A response is now available in Bugzilla 1334377 and directly at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8836487
Thanks for these responses Steve,
I believe that Symantec's decision to terminate the RA Partner programme was
urity-
> pol...@lists.mozilla.org
> Cc: r...@sleevi.com
> Subject: Re: Misissued/Suspicious Symantec Certificates
>
> On 09/02/17 03:07, Ryan Sleevi wrote:
> > We appreciate your attention to these questions and will thoughtfully
> > consider a response to these questions i
On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote:
> 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur
> are the only Delegated Third Parties utilized by Symantec, across all
> Symantec operated CAs that are trusted by Mozilla products?
Maybe Ryan has better inf
On 09/02/17 03:07, Ryan Sleevi wrote:
> We appreciate your attention to these questions and will thoughtfully
> consider a response to these questions if received no later than 2017-02-13
> 00:00:00 UTC.
Mozilla also requests answers to these excellent questions under the
same terms and, for the a
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote:
> On 31/01/17 04:51, Steve Medin wrote:
> > Our response to questions up to January 27, 2017 has been posted as an
> > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
>
> Quoting that document:
>
> "Q: 4) In response t
On 05/02/17 09:47, Gervase Markham wrote:
> On 05/02/17 06:20, Peter Gutmann wrote:
>> That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the
>> server is advertising. Hey, it would be pretty funny if the cert auditors'
>> certs were broken, but it's just the browser complai
Hi Steve,
On 31/01/17 03:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an
> attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
It's now ten days later; are Symantec in a position to answer the next
batch of questions, and also g
On 05/02/17 06:20, Peter Gutmann wrote:
> That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the
> server is advertising. Hey, it would be pretty funny if the cert auditors'
> certs were broken, but it's just the browser complaining about something else.
That machine defini
Martin Heaps writes:
>web address for accessing the E&Y assessment:
>https://cert.webtrust.org/SealFile?seal=2168&file=pdf and that access this
>address gives a
>
>> Secured Connection Failure: SSL_ERROR_UNSAFE_NEGOTIATION
>
>status. This (webtrust) organisation which seems to run the role of
>ce
As a side note to the main topic, I find it curious and a little disconcerting
that the referred link to the E&Y assessement of CrossCert, (outlined in Point
2 of "Additional Follow-ups") found on the document linked by Steve (here :
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038
On 04/02/17 14:32, Ryan Sleevi wrote:
> Gerv, as the information Steve shared about their other RAs show, their
> issues with RAs are not limited to CrossCert, unfortunately. Check out the
> rest of the details included.
Ouch. Thank you for drawing these to my attention; I had neglected to
read th
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham wrote:
>
> 4) Is there any reliable programmatic way of determining, looking only
> at the contents of the certificate or certificate chain, that a
> certificate was issued by CrossCert personnel using their processes, as
> opposed to by Symantec per
On 31/01/17 04:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an
> attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
Quoting that document:
"Q: 4) In response to the previous incident, Symantec indicated it
updated its internal
Glad you also answered the key question I posted some time ago (the
last one in the PDF).
According to your answer it appears that the majority of problematic
certificates were, to the WebPKI relying parties, correct and valid
certificates that simply had the legal names of the certificate holder
/Suspicious Symantec Certificates
Steve,
As captured in our private mail exchange last week, Symantec's report fails to
meaningfully address each or any of the questions I raised. Google considers
it of utmost urgency that Symantec share the answers to these questions, posed
a week ago, and
On Monday, 30 January 2017 17:52:34 UTC, Andrew Ayer wrote:
> I would appreciate confirmation from Steve, but note that dev119money.com
> is not currently a registered domain name.
Ah yes, none of the names on that certificate currently exist in the Internet
DNS: devhkhouse.co.kr and devhkautolo
On Fri, 27 Jan 2017 09:43:00 -0800 (PST)
Nick Lamb wrote:
> On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote:
> > * It's not clear what the problem is with the issuance in category
> > F. I don't see any mention of "dev119money.com" in Andrew's initial
> > report. Can you explain (
Steve,
As captured in our private mail exchange last week, Symantec's report fails
to meaningfully address each or any of the questions I raised. Google
considers it of utmost urgency that Symantec share the answers to these
questions, posed a week ago, and based on Symantec's multiple public
stat
On 30/01/17 12:51, Nick Lamb wrote:
> CrossCert Certification Practice Statement Version 3.8.8 Effective
> Date: JUNE 29, 2012
That date is interesting. The BRs require CPSes to be revised yearly.
> "End-user Subscriber Certificates contain an X.501 distinguished name
> in the Subject name field
On Monday, 30 January 2017 11:10:00 UTC, Gervase Markham wrote:
> Could you point is at the parts of the CPS or other documents which led
> you to that belief?
I examined a great many documents since Andrew's initial report. I think the
document which originally caused me to form this incorrect
Hi Nick,
On 29/01/17 12:39, Nick Lamb wrote:
> 2. It had been my assumption, based on the CPS and other documents,
> that CrossCert was restricted in their use of Symantec's issuance
> function to C=KR
Could you point is at the parts of the CPS or other documents which led
you to that belief?
Ge
On Sunday, 29 January 2017 02:28:53 UTC, Steve Medin wrote:
> We completed our investigation of these 12 certificates by requesting
> archived documentation. CrossCert was unable to produce documentation to
> prove their validation as required under BR 5.4.1. We revoked all 12
> certificates withi
Symantec's auditors, KPMG, completed a scan of CrossCert certificates to
detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST,
KPMG provided a report that listed 12 problem certificates that were not in
Andrew Ayer's report. We began an investigation into that certificate
prob
On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote:
> * It's not clear what the problem is with the issuance in category F. I
> don't see any mention of "dev119money.com" in Andrew's initial report.
> Can you explain (and provide a crt.sh link)?
https://crt.sh/?id=48539119 appears to
Hi Steve,
On 27/01/17 01:30, Steve Medin wrote:
> Here is an attached PDF update regarding this certificate problem report.
Thanks for the update. Here are some questions:
* It's not clear what the problem is with the issuance in category F. I
don't see any mention of "dev119money.com" in Andrew
..@lists.mozilla.org
Subject: RE: Misissued/Suspicious Symantec Certificates
The listed Symantec certificates were issued by one of our WebTrust
audited
partners. We have reduced this partner's privileges to restrict further
issuance while we review this matter. We revoked all reported cert
ity-policy [mailto:dev-security-policy-
bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Steve
Medin
Sent: Saturday, January 21, 2017 9:35 AM
To: Andrew Ayer ; mozilla-dev-security-
pol...@lists.mozilla.org
Subject: RE: Misissued/Suspicious Symantec Certificates
The listed Symantec certifi
; > To: Andrew Ayer ; mozilla-dev-security-
> > pol...@lists.mozilla.org
> > Subject: RE: Misissued/Suspicious Symantec Certificates
> >
> > The listed Symantec certificates were issued by one of our WebTrust
> audited
> > partners. We have reduced this partner's priv
On Thursday, January 26, 2017 at 9:27:52 PM UTC-8, Steve Medin wrote:
> Here is an attached PDF update regarding this certificate problem report.
>
> Kind regards,
> Steven Medin
> PKI Policy Manager, Symantec Corporation
>
The PDF file provided by Steven has been attached to this bug:
https://
Behalf Of Steve
> Medin
> Sent: Saturday, January 21, 2017 9:35 AM
> To: Andrew Ayer ; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: RE: Misissued/Suspicious Symantec Certificates
>
> The listed Symantec certificates were issued by one of our WebTrust
audited
&g
Steve,
Have you had a chance to review these questions? Considering that these are
all about existing practices, and as a CA should be readily available and
easy to answer, I'm hoping you can reply by end of day.
Please consider this a formal request from Google as part of investigating
this inci
Hi Hanno,
On Tue, 24 Jan 2017 10:38:01 +0100
Hanno B__ck wrote:
> Hello,
>
> I have a few observations to share about this incident, not sure how
> relevant they are.
Thanks for sharing these. I found them interesting.
> There are 4 "example.com" certificates related to this incident.
>
> T
Hello,
I have a few observations to share about this incident, not sure how
relevant they are.
There are 4 "example.com" certificates related to this incident.
There are 114 "O=test" certificates that I assume are related to this
incident. This includes all certificates with a "Not Before" date
Steve,
While I understand that your investigation is ongoing, this does seem
extremely similar, if not identical, to Symantec's previous misissuance.
In that previous incident, Symantec took a number of steps - beginning with
reportedly immediately terminating the employees responsible and then
c
The listed Symantec certificates were issued by one of our WebTrust audited
partners. We have reduced this partner's privileges to restrict further
issuance while we review this matter. We revoked all reported certificates
which were still valid that had not previously been revoked within the 24
ho
On Thursday, 19 January 2017 21:46:38 UTC, Andrew Ayer wrote:
> 2. The third certificate in the list above contains a SAN for
> DNS:*.crosscert.com - note that three of the misissued example.com
> certificates contain "Crosscert" in their Subject Organization.
Crosscert aka Korea Electronic Certi
Andrew, thank you for your efforts to report this issue. We are
investigating and will report our resolution, cause analysis, and corrective
actions once complete.
Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation
> -Original Message-
> From: dev-security-policy [mailto:
63 matches
Mail list logo