Hi Steve, Thank you for this. Issue V was indeed somewhat confused - my apologies. I have split it into Issue V, covering GeoRoot, and Issue W, covering the RAs.
On 10/04/17 15:58, Steve Medin wrote: > Separately, Symantec operates two subordinate CAs solely for NTT > DoCoMo in an enterprise PKI application. These subordinate CAs had > been considered part of the "GeoRoot" program as well, and we had > therefore excluded them (similar to the above externally operated > ones) from the list of Symantec CAs in our audits. If they were excluded from the Symantec audit, and were not one of the five GeoRoot partners who had their own audits, did these subordinate CAs fall under any audit at all in this period? > Symantec provided the letter quoted below to Google, Mozilla, > Microsoft, and Apple when we shared the Point in Time Audits on > September 6, 2016 to specifically address the GeoRoot audit status > and remediation plan. Without seeming to doubt your word, can you tell me how you supplied such a letter? Was it to certifica...@mozilla.org or directly to Kathleen? A quick search can't find it in my email archive, so a recipient, Subject and Date for the communication would be most appreciated. > All of Certisign's audits are both WebTrust for CAs and SSL Baseline > and were unqualified. The Certisign audit provided was this one: https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 It does say that Certisign complied with the Network Security Guidelines but doesn't mention the BRs and, somewhat confusingly, also says: "This report does not include any representation as to the quality of CERTISIGN - CA's services beyond those covered by the Trust Service Principles and Criteria for Certification Authorities..." which suggests this audit is only a WebTrust for CAs audit, not a BR audit. Are there audit documents missing which show that they were BR-audited? Can you clarify? > Certsuperior's audits state that their scope was WebTrust for SSL > Baseline but do not state WebTrust for CAs. Prior to 2016, > Certsuperior provided WebTrust SSL Baseline audits from an unlicensed > auditor. Symantec's compliance organization identified the issue in > 2016. For 2016, Certsuperior provided a qualified audit by Deloitte, > a WebTrust licensed auditor in Mexico. Certsuperior's audit led to > immediate sanction to solve the issues detected within 90 days and to > provide a Point in Time audit. They provided such audit and it was > unqualified. Further, Deloitte is required to examine certificate > issuance as a normal part of the WebTrust program and they did not > cite any problems with Certsuperior's validation work in either > audit. Accordingly, we believe certificate issuance was inspected. Are you saying that none of the deficiencies identified at Certsuperior, in Symantec's view, had a material effect on the quality of certificate issuance? Given that Deloitte pointed out that the CPS was illegible and there was a "lack of implemented and documented control for requested validations sent by authorized personnel", on what grounds do you state that "Deloitte ... did not cite any problems with Certsuperior's validation work"? If they can't read the CPS, how can they tell if Certsuperior is following it? > Certisur's audits were WebTrust for CAs only. Symantec's compliance > organization identified the issue and has requested that Certisur's > next audit for calendar year 2016 explicitly include the criteria in > both WebTrust for CAs and WebTrust Baseline. All audits received > were unqualified and performed by a licensed WebTrust auditor. How long has it been the case that they did not have a BR audit? > CrossCert's audits were WebTrust for CAs only through 2015. Same question. Does Symantec agree that these RAs should have had a Baseline audit for all periods when they were operating? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
