On Tue, Apr 11, 2017 at 12:42 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> In various rounds of questioning at the time we were focussing purely on > this incident, I asked Symantec what processes they had in place for > checking that the RAs were doing what they should. Their answer was > "WebTrust audits". So I believe they have already said that no such > examination was done. I'm sure they'd be happy to clarify, though. > In attempting to make an objective evaluation of the trustworthiness of Symantec, in either its past operations or as a future predictor, we essentially need to understand 1) That Symantec understood the gravity of the situation 2) That Symantec took it seriously and responded appropriately relative to the trust it was granted 3) That Symantec remains committed to doing so in the future, and with specific plans to identify and remedy the issues On the basis of the information provided, I see no reason to believe the answer to #1 is that they did not (or that they "disagreed"), the answer to #2 is that "They did not", and the answer to #3 is "They are not, and have no specific plans". Symantec is asserting its processes were trustworthy, but the evidence provided wholly contradicts that conclusion (in my opinion). I'm looking to develop a meaningful understanding of what Symantec did, so that it can demonstrate that what it did was reasonable and expected, or to acknowledge there were deficiencies that have a remediation plan. The current statement appears to be that the processes were appropriate and no deficiencies - despite the Baseline Requirements clearly contradicting this - and thus it seems appropriate to suggest that Symantec should not be trusted and/or have its trust meaningfully reduced to negate the impact that these deficient practices have on the ecosystem. The burden is two-fold: 1) Are the facts correct? It does not appear Symantec has disputed these, except with respect to the RA partner audits (for which it provided evidence that supports the current conclusions and refutes their disagreement)? 2) Are there plans for the future, or an approach to the past, that is meaningful to consider when evaluating the trustworthiness. At present, Symantec's not shared such, beyond the RA remediation plans, which are at conflict with the Baseline Requirements, its CP/CPS, and its Subscriber Agreements. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy