Re: Draft further questions for Symantec

Mon, 08 May 2017 06:21:08 -0700 

On 2017-05-08 14:24, Gervase Markham wrote:


1) Did any of the RAs in your program (CrossCert and co.) have the
technical ability to independently issue EV certificates? If they did
not not, given that they had issuance capability from intermediates
which chained up to EV-enabled roots, what technical controls prevented
them from having this capability?


It has a duplicate "not" there.


Issue Y
-------

3) Does Symantec agree that "VeriSign Class 3 SSP Intermediate CA - G2"
and "Symantec Class 3 SSP Intermediate CA - G3", can issue certs which
are trusted for SSL/TLS in Mozilla products (by chaining up to "VeriSign
Universal Root Certification Authority") and yet do not have BR audits?



I'm wondering if the intermediate CA certificates recently published in 
CT should have it's own issue. As far as I know they should have been 
disclosed much earlier. It seems that (at least now) they're all either 
revoked by CRL on the 5th of May (but not disclosed as revoked) or 
expired except for one (https://crt.sh/?id=132854209).



I think they're all from "VeriSign Class 3 SSP Intermediate CA", not G2 
or G3, except that one that's not revoked.



4) These two intermediates have a number of sub-intermediates. Does
Symantec agree that not all of these sub-intermediates are within the
scope of even Symantec's NFSSP Webtrust for CAs audit?[1] If so, how
many are in scope and how many are out of scope? If they are all in
scope, why are they not listed in the audit document?



The audit document says: "and the Symantec Non-Federal SSP – customer 
specific CAs (collectively referred to as the “Non-Federal SSP CAs”)."



For which it then says that "our examination did not extend to the 
controls of external registration authorities."


The management assertion also says:

"Controls have inherent limitations, including the possibility of  human 
error and the circumvention or overriding of controls. Accordingly, even 
effective controls can provide only reasonable  assurance with respect 
to Symantec’s Non-Federal SSP CA operations. Furthermore, because of 
changes in conditions, the effectiveness of controls may vary over time."



Kurt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to