Gerv, Is there any update on https://wiki.mozilla.org/CA:Symantec_Issues#STRUCK:_Issue_Y:_Unaudited_Unconstrained_Intermediates_.28December_2015_-_April_2017.29 ?
I'm just wanting to understand how this relates to Mozilla's PKI policy and expectations, and better understand why you struck it. - The CP/CPS does not state adherence to the Baseline Requirements. - The audit was only to "WebTrust Principles and Criteria for CAs v2.0" - e.g. not BRs - Seemingly excluded from scope of the audits are the following, for https://crt.sh/?Identity=%25&iCAID=1384&exclude=expired , on the basis of Footnote 1 in https://www.symantec.com/content/en/us/about/media/repository/Symantec-NFSSP-WTCA_11-30-2016.pdf - https://crt.sh/?id=19602740 - https://crt.sh/?id=19602709 - https://crt.sh/?id=19602733 - https://crt.sh/?id=19602720 - https://crt.sh/?id=19602670 - https://crt.sh/?id=19602679 - https://crt.sh/?id=19602705 - https://crt.sh/?id=19602730 Of critical relevance: - If you examine the CPS that was audited, https://www.symantec.com/content/en/us/about/media/repository/nf-ssp-pki-cps.pdf, it notes in Appendix A.5 that the profile includes issuing certificates with dNSName and iPAddress SANs, with the anyExtendedKeyUsage (or the presence of more specific EKUs) - If you examine Symantec's statements on this matter in https://bugzilla.mozilla.org/attachment.cgi?id=8860216 , they stated "Under the Non-Federal SSP program, they are used to issue certificates for Microsoft Windows domain controllers and IPSec endpoints." . A Windows Domain controller requires that it have id-kp-serverAuth, with a dNSName SAN ( https://support.microsoft.com/en-us/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca ) Thus, there is every indication that Symantec has issued certificates used for SSL/TLS under these intermediates and failed to maintain the appropriate audits, as required by Mozilla Policy. Perhaps it might be useful to clarify, given that DigiCert and Verizon have, since January, been operating under a different set of advice from Mozilla: For a CA not "intended" to issue SSL/TLS certificates, but is technically capable of doing so, and merely has not, what audits does Mozilla expect around this? Further, does Mozilla expect a sampling audit of 3% or a full audit of 100% with respect to whatever attestations are made regarding the non-issuance of TLS certificates? For your reference, this was https://bugzilla.mozilla.org/show_bug.cgi?id=1335253 , and you can find the thread titled "RE: Audit of Belgian subordinates" dated Jan 6 to several of the CA peers, including yourself. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
