Re: Misissued/Suspicious Symantec Certificates

Thu, 26 Jan 2017 23:37:00 -0800 

(continuing top posting for consistency)

In order to clarify the potential risk/damage to the Web PKI, it would
be useful to clarify the following in a later report (since this would
require additional investigation):

Were the web identities (DNS names etc.) in the category C, D, E and F
certificates properly vetted as per the CP/CPS etc., the certificates
simply replaced the vetted organization name with "test" in the X.500
distinguished name?  Or were some of those issued for insufficiently
(or actually incorrect) web identities?

To the safety of the web PKI this makes a big difference, since if the
web identities were properly and correctly vetted, then the only real
danger was relying parties seeing the word "test" in some user
interfaces instead of the real organization name, thus conferring less
trust (failing closed).  If on the other hand the web identities were
insufficiently vetted, then the certificates conferred a security claim
to relying parties not being shown or otherwise inspecting the O= field
(failing open).

On 27/01/2017 02:30, Steve Medin wrote:

Here is an attached PDF update regarding this certificate problem report.

Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation


-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-
bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of Steve
Medin
Sent: Saturday, January 21, 2017 9:35 AM
To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security-
pol...@lists.mozilla.org
Subject: RE: Misissued/Suspicious Symantec Certificates

The listed Symantec certificates were issued by one of our WebTrust

audited

partners. We have reduced this partner's privileges to restrict further
issuance while we review this matter. We revoked all reported certificates
which were still valid that had not previously been revoked within the 24
hour CA/B Forum guideline - these certificates each had "O=test". Our
investigation is continuing.




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to