On Sunday, 29 January 2017 02:28:53 UTC, Steve Medin wrote: > We completed our investigation of these 12 certificates by requesting > archived documentation. CrossCert was unable to produce documentation to > prove their validation as required under BR 5.4.1. We revoked all 12 > certificates within 24 hours of becoming aware of CrossCert's BR 5.4.1 > non-compliance. Our investigation continues.
Several of these certificates appear, on any surface inspection, to be legitimate certificates issued to real subscribers and yet presumably CrossCert was not able to document validation. So several thoughts arise, I appreciate that you might want to do more investigation before replying Steve, not least because there are quite a few questions here - and as always I welcome feedback from other participants meanwhile. 1. The six "false positive" certificates appear unremarkable except for the coincidence of including the word "test". If CrossCert can't produce documentation to show these were validated properly, it seems likely that many or even all certificates which Symantec had believed were validated by CrossCert in fact lack such documentation. Is that not so? 2. It had been my assumption, based on the CPS and other documents, that CrossCert was restricted in their use of Symantec's issuance function to C=KR, this is cold comfort for practical purposes in the Web PKI, but it would at least help us to scope any damage. The existence of certificates with C=BD in this list shows my assumption was wrong. How (if at all) can an outsider determine if in fact CrossCert caused issuance of a Symantec certificate ? Prior to Andrew's report what _mechanical_ constraints on CrossCert's issuance were in place, in particular any beyond those which were applied to Symantec's own issuances? For example, would it have been possible for them to cause issuance of a 5-year cert? A SHA-1 certificate? To choose specific serial numbers? 3. Since we have every reason to imagine that some (or even all) of the affected certificates were issued in good faith to legitimate subscribers, it would have been nice for Symantec to alert the subscribers when their certificates were revoked. Did Symantec do this? If not does Symantec have the capability to contact these subscribers itself (e.g. email addresses, phone numbers)? If not, does Symantec contractually require of RA partners that they provide a capability for Symantec to contact their subscribers, or relay a message chosen by Symantec on their behalf ? 4. Although BR 5.4.1 says that these records are to be kept by the CA and each Delegated Third Party the obligation is on the CA (here, Symantec) to make the records available to their auditors. Is it in fact the case that this investigation is the first time Symantec has asked Crosscert for such records ? Wasn't Symantec concerned that KPMG (in a routine audit) might ask to see these records but they didn't have them ? Might not other RA partners be affected similarly ? 5. As Symantec will know from its own experience, audits have not proved to be sufficient for detecting systematic non-compliance by CAs. What measures _beyond_ the Webtrust audit did Symantec have in place to detect non-compliance by an RA partner ? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy