On Monday, 13 February 2017 09:06:02 UTC, Kurt Roeckx wrote: > This seems to be a worrying trend to me.
Almost certainly it would be wrong for us to look at these three data points and conclude from them that the main problem is EY itself. Not to say they can't do better, or be a key agent of change, but that I believe it would be an error to spend more than a small amount of effort on that. Symantec tripped themselves up here by relying on auditors to check something they were in an excellent position to examine for themselves. If local auditors are incompetent or corrupt and do not uncover policy deviations on the ground, such as lack of physical security or use of untrained staff then that is a problem and only improved audits can fix it. But when it came to issuance Symantec chose to examine audit results rather than look at their own systems to determine what was being issued. Likewise for the documentation capture - Symantec could have known months or years ago if CrossCert's validation was inadequate by seeing the evidence captured, rather than relying on the auditors to determine that. If CrossCert was actually operated by a pair of students from a flat in Amsterdam, but Symantec had been able to achieve confidence that it was adequately validating subject identities and documenting this work correctly it seems to me that the threat to the Web PKI from their deceit is rather modest. Doubtless Symantec would be very unhappy with this purported Korean company, but there wouldn't be bogus certificates out there that should never have been issued, just a bunch of red faces at Symantec. On the other hand, even if auditors flew in from London and New York and from each of the Big Four professional services networks to examine CrossCert's physical site in Korea and their implementation of policy on the ground, that's worthless if CrossCert are anyway still causing Symantec to issue "test" certificates for example.com and Symantec doesn't even detect it. However, I recall that for EY Hong Kong I asked Mozilla / Gerv to ensure the head office in London was informed of Mozilla's decision. I would recommend that Symantec should likewise inform the London head office of their decision. Notionally all the Big Four have global policy and consistency of service set from their head offices, and so that's the place to intervene if there really is anything to be done about the problem. Given the poor quality we've seen in the Big Four's multi-billion dollar financial audit work, compared to their success as almost universally the only firms to get any work from large multi-national companies another reason for my saying we shouldn't throw lots of effort at this part of the problem is that success is unlikely. There is a (disputed) saying in the Web PKI that "Revocation doesn't work". Likewise I would argue, "Audit doesn't work". _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy