On Sun, Apr 2, 2017 at 9:36 PM, Ryan Sleevi <r...@sleevi.com> wrote: > > On Sun, Apr 2, 2017 at 11:14 PM Peter Bowen via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: >> >> On Fri, Mar 31, 2017 at 11:39 AM, Gervase Markham via >> dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: >> > As we continue to consider how best to react to the most recent incident >> > involving Symantec, and given that there is a question of whether it is >> > part of a pattern of behaviour, it seemed best to produce an issues list >> > as we did with WoSign. This means Symantec has proper opportunity to >> > respond to issues raised and those responses can be documented in one >> > place and the clearest overayll picture can be seen by the community. >> > >> > So I have prepared: >> > https://wiki.mozilla.org/CA:Symantec_Issues >> > >> > I will now be dropping Symantec an email asking them to begin the >> > process of providing whatever comment, factual correction or input they >> > feel appropriate. >> > >> > If anyone in this group feels they have an issue which it is appropriate >> > to add to the list, please send me email with the details. >> >> Gerv, >> >> I'm afraid that Issue V: RA Program Audit Issues (2013 or earlier - >> January 2017) has confused RAs with subordinate CAs. >> >> According to >> https://bug1334377.bmoattachments.org/attachment.cgi?id=8843448, >> Symantec has indicated that they have (had) four unconstrained third >> party RAs: CrossCert, Certisign, Certisur, and Certsuperior. These >> appear to fall into what the BRs call "Delegated Third Parties". No >> audit report seems to mention any issue with these RAs. >> >> Separately Symantec owned CAs have issued CA-certificates to several >> CAs that are not operated by Symantec. These appear to include at >> least Apple, Google, the US Government, Aetna, and Unicredit. The >> audit reports linked from Issue V appear to have qualifications >> regarding these CA-certificates. >> >> There are notable differences between third party owned CAs and third >> party operated RAs and the difference should be clearly noted. >> >> Thanks, >> Peter >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy > > Both > https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf > (Finding number 3) and > https://www.symantec.com/content/en/us/about/media/repository/symantec-webtrust-audit-report.pdf > (Finding number 1) call out Delegated Third Parties as lacking audits. This > is called out separately from the matters related to sub-CAs, as > "Furthermore". > > Given that at least some of the sub-CAs possessed and provided audits to > Symantec, it does not seem to support your summary, but perhaps your point > was misunderstood?
I think there are two parts: 1) There should be two different issues in the issues list -- one for management of Subordinate CAs and one for management of unconstrained RAs (i.e. Delegated Third Parties) 2) It is not clear that the audit reports for the GeoTrust brand roots are calling out RAs as qualifications. My read is that they were considering the subordinate CAs as DTPs, not the RAs. However I can see the other interpretation as well. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
