On Thu, Mar 9, 2017 at 1:34 PM, Steve Medin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> In the case of CrossCert, where we have evidence of failure to properly > document their work, we are NOT relying on their previous work and have > begun fully revalidating all active certificates. In the cases of the other > 3 RAs, our focus is reviewing all of the work previously done to verify > that it can, in fact, be relied upon and/or determine where full > revalidation, without relying on the prior work of the RA, is warranted, if > at all. > Steve, While I appreciate your reply, I think it highlights precisely the concern about whether or not Symantec is qualified and/or should be trusted to make this determination, given that Symantec is in possession of documented evidence from one of their other RA partners about a failure to properly document their work and to ensure the authenticity of what was documented. Given your reply above, I think it's reasonable for readers to conclude that Symantec's Compliance Team, despite having been alerted to these issues on February 8, and having been aware of them for far longer, has decided that they are not significant. I'm not sure how such a conclusion is consistent with the information provided, and eagerly await any explanation Symantec may offer. Further, you have acknowledged that at least one auditor lacked sufficient skill and licensing to perform the audit. It is also clear that one or more of these RA partners was not audited with respect to "WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security", and as such, lacks effective demonstration of adherence to the security-relevant Principles and Criteria contained therein, only having produced audits to the effect of "WebTrust Principles and Criteria for Certification Authorities". As demonstrated by the historical audits, the issues presented issues span multiple years, so even remediation plans that may have been effected for one or more of these delegated third parties, such plans do not retroactively 'correct' any misissuance or bad data logged in such systems. Finally, I am uncertain how any of Symantec's proposal is consistent with its CP/CPS, which incorporates the Baseline Requirements. In particular, Symantec has now had six weeks, and still has failed to abide by the terms of Section 4.9.1.1 regarding these 30,000 certificates. Regardless of the next steps Symantec may take, I think it's reasonable to suggest that these are all extremely important for members of the community to carefully contemplate, and all of them rest specifically with actions and statements made by Symantec since this investigation began, rather than the RA partners. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy