Our fourth response to questions is posted at Bugzilla, https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
It includes two attachments at that bug: https://bugzilla.mozilla.org/attachment.cgi?id=8843448 https://bugzilla.mozilla.org/attachment.cgi?id=8843449 From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Wednesday, February 22, 2017 11:33 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com; Gervase Markham <g...@mozilla.org> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Thanks for your continued attention to this matter. Your responses open many new and important questions and which give serious question as to whether the proposed remediations are sufficient. To keep this short, and thereby allow Symantec a more rapid response: 1) Please provide the CP, CPS, and Audit Letter(s) used for each RA partner since the acquisition by Symantec of the VeriSign Trust Services business in 2010. On Fri, Feb 17, 2017 at 8:32 PM, Steve Medin via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: Our third response to questions, including these two below, is posted at Bugzilla, and directly at https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825<https://clicktime.symantec.com/a/1/maIs7jXt0tqwnz1Jx0AxZjkA8GILUQI09uuEhZICWEQ=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8838825>. From: Ryan Sleevi [mailto:r...@sleevi.com<mailto:r...@sleevi.com>] Sent: Friday, February 17, 2017 6:54 PM To: Ryan Sleevi <r...@sleevi.com<mailto:r...@sleevi.com>> Cc: Gervase Markham <g...@mozilla.org<mailto:g...@mozilla.org>>; mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>; Steve Medin <steve_me...@symantec.com<mailto:steve_me...@symantec.com>> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Two more question to add to the list which is already pending: In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter, specifically in [3], questions 3 - 6, and while Symantec noted that it would case to accept future EY Brazil audits, I have confirmed with CPA Canada that at during the 2016 and 2017 periods, EY Brazil was not a licensed WebTrust practitioner, as indicated at [4]. Given that EY Brazil was not a licensed WebTrust auditor, it appears that Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1 [5], namely, that "(For audits conducted in accordance with the WebTrust standard) licensed by WebTrust", which is a requirement clearly articulated in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, ..." 1) Was Symantec's compliance team involved in the review of Certisign's audit? 2) Does Symantec agree with the conclusion that, on the basis of this evidence, Symantec failed to uphold the Baseline Requirements, independent of any action by a Delegated Third Party? [1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933<https://clicktime.symantec.com/a/1/vG4MDB3hNsGYUc24ZpW7pdrPIan-c_b-D8RRJ1NfRP4=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933><https://clicktime.symantec.com/a/1/6wJmuz5H2ktURSIGjev34ZuuQTad1LRVz1nIlADR7XE=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8c WaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933> [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929<https://clicktime.symantec.com/a/1/Co8ZRcNA5WX7mrzL3wgY5QAejUiQtttlSJB2E60z1RQ=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929><https://clicktime.symantec.com/a/1/pfZiLBH0rxpzxfeiB5YSfvWdOjwpHC72M_rUahZJxKQ=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8c WaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929> [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487<https://clicktime.symantec.com/a/1/qzBrc0JUrrA2x3M0TM0G0hDZl4Mw5BjUIARUiy9xfgM=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487><https://clicktime.symantec.com/a/1/80dDdC7HC5yMdzxfwRS0saqQ2kS5Tvwuo_kNWaXWLCI=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8c WaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487> [4] http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx [5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf<https://clicktime.symantec.com/a/1/L6psBNZ-UXLAKLVgVk9O_5t6JV9qi4unxaZUvPpURyI=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf><https://clicktime.symantec.com/a/1/7AUAkdAzUJ1un022RuP_TfjD3UiY12QGLjanVeGgxhk=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAU bs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy