On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 31/01/17 04:51, Steve Medin wrote: > > Our response to questions up to January 27, 2017 has been posted as an > > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. > > Quoting that document: > > "Q: 4) In response to the previous incident, Symantec indicated it > updated its internal policies and procedures for test certificates as > used for commercial certificates. Further, it indicated that QA > engineers and authentication personnel were trained on updated practices > for test certificates. a) Did Symantec include Registration Authorities > in the scope of that training? > > A: We did not train partners on an issue that pertained to a tool they > could not access." > > -- That seems to miss the point of the question somewhat. The problem in > the previous incident was poor practices surrounding the issuance of > test certificates, not simply the tool that was used to issue them. > > 1) Did Symantec do any additional training for RAs regarding the > issuance of test certificates after the last incident? If not, why not? > Did Symantec believe that it was very unlikely for RA personnel to make > the same mistakes or have the same misunderstandings of what was > appropriate as Symantec's personnel? > > You also write: "Category C concluded prior to that last audit’s review > period." Steve, To echo Gerv's remarks, the statement Symantec issued for the previous misissuance [1] stated: "Symantec has updated its internal policies and procedures to strongly reinforce that all test certificates must follow the same fulsome authentication procedures as commercial certificates." Section 9.8 of the Baseline Requirements, v1.4.2 states "For delegated tasks, the CA and any Delegated Third Party MAY allocate liability between themselves contractually as they determine, but the CA SHALL remain fully responsible for the performance of all parties in accordance with these Requirements, as if the tasks had not been delegated. " 1) Does Symantec believe that the original statement is sufficiently clear that it was limited solely to Symantec's role in validating, and did not extend to that of Delegated Third Parties? 2) Did Symantec management believe it was not necessary to notify and inform its Delegated Third Parties about the need and significance to conform to Symantec's CP and CPS, and of the necessity of ensuring that all issued certificates - regardless of mechanism - must follow the same fulsome authentication procedures? Similarly, the statement Symantec issued for the previous misissuance [1] stated: "Symantec updated its internal policies, procedures, and trainings to clarify the April 2014 change in the Baseline Requirements that removed authorization to issue certificates to unregistered domains." Your most recent response, [2], notes that: "RAs are required to follow the same policies as set forth in Symantec’s CP and CPS documents." Regarding Certisign: 3) The most recent version of Certisign's CP/CPS that I'm able to publicly confirm is http://vtn.certisign.com.br/repositorio/politicas/DPC_ da_Certisign.pdf , which is dated 2012. Is this the correct CP/CPS? 4) Can Symantec confirm that this is the CP/CPS that was audited? 5) Does Symantec believe that this CP/CPS is consistent with Symantec's update CP and CPS documents updated in response to the previous misissuance? 6) Does Symantec believe that the audit letter, indicated in [2], which clearly indicates that the effective criteria were based on "SSL Baseline Requirements Audit Criteria, Version 1.1", available at [3], represents a sufficient demonstration of conformance to Symantec's CP/CPS? 7) Does Symantec believe that the audit letter, indicated in [2], conducted by Ernst and Young Brazil, conforms with the professional obligations with respect to WebTrust licensing, and Symantec's obligation to ensure said compliance as part of its Delegated Third Party conformance to the Baseline Requirements' audit standards? Specifically, the requirement to use "WebTrust for CA - SSL Baseline with Network Security 2.0" for all audits whose periods begin after 1-Jul-14, which EY Brazil demonstrably did not follow? Regarding Certsuperior: Symantec has indicated that the 2016 audit of Certsuperior was qualified, as demonstrated in [4]. During Symantec's previous misissuance event, Symantec noted that: "We have also enhanced our compliance function by consolidating all compliance activities into a single group reporting directly to the head of our Website Security business unit. This change was made in January 2016; this new compliance structure includes enhanced identification, tracking, prioritization and resolution of compliance-related updates, which will help ensure that CA/Browser Forum rule changes are effectively implemented." 8) Was Symantec's compliance group involved in reviewing the qualified audit report findings? 9) Did Symantec's management or compliance group disclose this qualification to Mozilla? 10) Did Symantec's management or compliance group make its determination of Certsuperior's compliance to Symantec's CP/CPS using Certsuperior's publicly available CP/CPS, which Certsuperior's auditor, Deloitte, noted in [4] that "The policies, procedures, and agreements are not available for consultation." and that "The CPS published is illegible"? 11) If not, what CP/CPS did Symantec use, and how did Symantec ensure it was appropriately audited? 12) If so, how did you do so, when the auditors themselves were not able to? 13) Given Symantec's previous statements regarding "holding ourselves to a 'no compromise' bar" [5], and the numerous issues identified in [4], including an audit finding of "We noted roles of users that are not Trusted Roles with access to validation requests at the web application", a "lack of network segmentation for distinguishing between equipment with access to applications and that which are not part of the validation process", and that Certsuperior's network scans were "not performed with sufficient periodicity and had only ever been executed over the https://www.certsuperior.com website" and "were executed by personnel without technical skill, ethics code, or independence", why does Symantec still have an RA relationship with Certsuperior? 14) Does Certsuperior pay Symantec to engage as a Registration Authority? 15) If so, what does Symantec believe should be the reasonable interpretation relative to the continued trustworthiness of Symantec and Symantec's management of the fact that Symantec terminated employees for cause for being involved in misissuance, but has continued to engage in a business relationship with entities who have performed demonstrably worse, but which pay Symantec for that privilege? Regarding CrossCert: The audit report indicated in [6] directly states that the audited CP/CPS version of CrossCert is version 3.8.8, available at [7]. This version indicates it was "Published Date: June 29, 2012". This audit was performed by Ernst and Young, Korea. 16) Similar to Q3, is this the correct CPS? 17) Similar to Q5, does Symantec believe this CP/CPS, dated in 2012, is consistent with Symantec's CP/CPS, which was updated in response to past misissuances? Regarding Registration Authorities 18) Can you confirm that Symantec's response in [2] is correct and comprehensive for all brands directly and indirectly operated by Symantec, including, but not limited to, Verisign, Symantec, Thawte, GeoTrust, and RapidSSL offerings? 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur are the only Delegated Third Parties utilized by Symantec, across all Symantec operated CAs that are trusted by Mozilla products? We appreciate your attention to these questions and will thoughtfully consider a response to these questions if received no later than 2017-02-13 00:00:00 UTC. Thanks, Ryan [1] https://www.symantec.com/page.jsp?id=test-certs-update# [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 [3] http://www.webtrust.org/homepage-documents/item76002.pdf [4] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930 [5] http://archive.is/Ro70U [6] https://cert.webtrust.org/SealFile?seal=2167&file=pdf [7] http://www.crosscert.com/symantec/certificationeng.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
