On Fri, Mar 31, 2017 at 4:38 PM, Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham wrote: > >> As we continue to consider how best to react to the most recent incident >> involving Symantec, and given that there is a question of whether it is >> part of a pattern of behaviour, it seemed best to produce an issues list >> as we did with WoSign. This means Symantec has proper opportunity to >> respond to issues raised and those responses can be documented in one >> place and the clearest overayll picture can be seen by the community. > > (Wearing a Google hat)
(Wearing my normal personal non-work hat) > In March of last year, Symantec provided us a list of five sub-CAs which > they termed GeoRoots: Apple, Google, Unicredit, Aetna, NTT Docomo - and > requested they be excluded from this requirement. We asked Symantec to > provide current audit statements for each of these CAs. > > Symantec indicated that the audit information for these sub-CAs would be > added to the CCADB. This was on 3/29. > > We then followed-up with Symantec, again, because as of 6/28, there were > several outstanding issues with Symantec's disclosures: > > - Apple IST CA 3 was not covered by the general set of Apple audits > - No audit information for Aetna was provided, and its CPS was dated in 2011 > - No audit information for Unicredit was provided > - NTT Docomo (DKHS and DKHS CA2) were disclosed as being part of Symantec's > audit > > Upon follow-up, Symantec provided Aetna's WebTrust for BRs audit. On it, > there were 15 qualifications, some of which would have spanned the totality > of operation. > > Regarding Unicredit, Google requested that Symantec place us in direct > contact with Unicredit. We had several calls with Unicredit's management > team regarding the issues, attempting to find a path to see if they would > be able to complete a Baseline Requirements audit. > > I want to share these details so that a fuller picture of the GeoRoot > issues can be noted. Particularly concerning is the seriousness of the > Aetna issues and the failure to remedy them, and the failure to identify > the NTT Docomo (DKHS) roots as part of Symantec's infrastructure. (some portions of the quoted text omitted) Ryan, I haven't reviewed the audit reports myself, but I'll assume all you wrote is true. However, I think it is important to consider it in the appropriate context. The GeoRoot program was very similar to that offered by many CAs a few years ago. CyberTrust (then Verizon, now DigiCert) has the OmniRoot program, Entrust has a root signing program[1], and GlobalSign Trusted Root[2] are just a few examples. In almost every case the transition to requiring complete unqualified audits of the subordinates by a licensed practitioner was a rocky one. See DigiCert's thread (https://groups.google.com/d/msg/mozilla.dev.security.policy/tHUcqnWPt3o/U2U__7-UBQAJ) about the OmniRoot program or look at the audits available for some of the Entrust subordinates. I'm not suggesting that the GeoRoot subordinate issues should not be considered, but it seems the GeoRoot program was not notably exceptional a few years ago. Thanks, Peter [1] https://web-beta.archive.org/web/20140818191044/http://www.entrust.net/about/third-party-sub-ca.htm [2] https://www.globalsign.com/en/certificate-authority-root-signing/ and https://web-beta.archive.org/web/20101008151742/http://globalsign.com/certificate-authority-root-signing/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
