On Tue, Mar 7, 2017 at 6:37 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Policy Proposal 1: require all CAs to arrange it so that certs validated > by an RA are issued from one or more intermediates dedicated solely to > that RA, with such intermediates clearly labelled with the name of the > RA in the Subject. > > If we enact Policy Proposal 1, that allows RAs to be cut off, and also > provides a natural point for the CP/CPS and audits of the RA to be > monitored in the CCADB, because they would be attached by the CA to the > issuing intermediate for that RA. > > Symantec's oversight of their RAs was clearly inadequate; various forms > of misissuance were not detected. > > To make it simpler, wouldn't be a Policy Proposal be to prohibit Delegated Third Parties from participating in the issuance process? This would be effectively the same, in as much as the only capability to allow a third-party to participate in issuance is to operate a subordinate CA. I think it's procedurally identical to Policy Proposal 1, but it clarifies more explicitly that RAs are forbidden, and that all participants in the issuance ecosystem have a specific set of obligations. > > > Failures > -------- > > As noted by module peer Ryan Sleevi, this is not the first time Symantec > has had difficulties with misissued "test" certificates. It is > disappointing that investigations related to the last incident did not > turn up the problems which have now been discovered. Various forms of > investigation and remediation were not, apparently, applied to > Symantec's RA network in the same way they were supposedly applied at > Symantec. > > It seems to me that Symantec's claim is of lack of knowledge - that they > contracted and trained CrossCert to do the right things, and the > auditors said that they were, and they had no evidence that they were > not, and so they assumed everything was fine. The question is whether > that lack of knowledge amounts to negligence. > > Comments on this topic, with careful justification, are invited. > > [The alleged audit failures, as opposed to alleged failures by Symantec, > will be discussed in a separate process.] > Gerv, have you examined the most recent set of audits? Do you, in your capacity as CA Certificate policy peer, believe the audits were correct for their capability and role? Note that several of them were "WebTrust for CAs" - not "WebTrust for CAs - SSL BR and Network Security". Do you believe that complies with letter of the Baseline Requirements? Similarly, do you believe Symantec had an obligation to ensure the proper licensing status of auditors, prior to accepting such audits? I think these may represent important questions for Mozilla to determine, in order to evaluate the fullness of the claim you have summarized, and I think would equally apply if we were discussing externally-operated subordinate CAs, correct? Considering the capability afforded to these RAs - full certificate issuance through independent domain validation - I'm curious whether you believe this materially represents a practical distinction from the issuance of an unconstrained subordinate CA, and how responsible the issuing CA is for overseeing those operations. How would Mozilla respond if in every case of "RA", it was replaced with "Sub-CA"? That seems to be the guiding principle here, since they're functionally indistinguishable in this case, except the RA brought with it even greater risk, and lacked sufficient audit controls or technical mitigations to prevent unauthorized access or ensure adequate logging. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
