On 2017-05-08 14:24, Gervase Markham wrote:
1) Did any of the RAs in your program (CrossCert and co.) have the
technical ability to independently issue EV certificates? If they did
not not, given that they had issuance capability from intermediates
which chained up to EV-enabled roots, what technical controls prevented
them from having this capability?
It has a duplicate "not" there.
Issue Y
-------
3) Does Symantec agree that "VeriSign Class 3 SSP Intermediate CA - G2"
and "Symantec Class 3 SSP Intermediate CA - G3", can issue certs which
are trusted for SSL/TLS in Mozilla products (by chaining up to "VeriSign
Universal Root Certification Authority") and yet do not have BR audits?
I'm wondering if the intermediate CA certificates recently published in
CT should have it's own issue. As far as I know they should have been
disclosed much earlier. It seems that (at least now) they're all either
revoked by CRL on the 5th of May (but not disclosed as revoked) or
expired except for one (https://crt.sh/?id=132854209).
I think they're all from "VeriSign Class 3 SSP Intermediate CA", not G2
or G3, except that one that's not revoked.
4) These two intermediates have a number of sub-intermediates. Does
Symantec agree that not all of these sub-intermediates are within the
scope of even Symantec's NFSSP Webtrust for CAs audit?[1] If so, how
many are in scope and how many are out of scope? If they are all in
scope, why are they not listed in the audit document?
The audit document says: "and the Symantec Non-Federal SSP – customer
specific CAs (collectively referred to as the “Non-Federal SSP CAs”)."
For which it then says that "our examination did not extend to the
controls of external registration authorities."
The management assertion also says:
"Controls have inherent limitations, including the possibility of human
error and the circumvention or overriding of controls. Accordingly, even
effective controls can provide only reasonable assurance with respect
to Symantec’s Non-Federal SSP CA operations. Furthermore, because of
changes in conditions, the effectiveness of controls may vary over time."
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy