Re: Symantec Issues doc updated
On 11/04/17 23:07, Jakob Bohm wrote: > Please consider the fact that this is Easter week, and most of the > industry, including many people (on both the Browser and Symantec sides > of the process) are likely to be unavailable for precisely this week of > the entire year. > > In general, sending deadline mails (by paper, e-mail, process server or > otherwise) to anyone during a public holiday demanding actions during > that holiday is considered morally deficient at a minimum. That seems hyperbolic. However, your point is well taken. I have emailed Symantec to put back the deadline to 23:59 UTC on Thu 20th April. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Issues doc updated
On 11/04/2017 18:53, Gervase Markham wrote: On 11/04/17 17:34, Ryan Sleevi wrote: Can you clarify what issues you believe this to be related? That is a fair question. And also hard work to answer :-) Given that Symantec has a routine habit of exceeding any reasonable deadline for response, at what point do you believe it is appropriate for the Mozilla Root Store to begin discussing what steps can or should be taken with respect to the documented and supported incidents, which Symantec has not provided counter-factual data? Yes, fair enough. Rick and Steve: I will be taking Symantec's statements to this group as of one week from today as the sum total of what you have to say on the subjects under discussion. After that point, we will draw conclusions based on the available data and decide on what course of action we may take. I hope that by then you will be able to answer my 8 questions, and provide responses or comments to any of Ryan's or other people's questions that you wish to address. Kathleen is on vacation this week, and so no decisions could be taken until next week at the earliest anyway. Please consider the fact that this is Easter week, and most of the industry, including many people (on both the Browser and Symantec sides of the process) are likely to be unavailable for precisely this week of the entire year. In general, sending deadline mails (by paper, e-mail, process server or otherwise) to anyone during a public holiday demanding actions during that holiday is considered morally deficient at a minimum. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Issues doc updated
>Within a few days of discovering these issues they shut down their
>entire RA program. That seems pretty swift and comprehensive to me. The
>fact that they didn't discover these issues for years is clearly a
>problem, but it's not the same problem.
I don't believe that's a fair characterization--looking at
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content=INFO4154
it was more like "After approximately 3 weeks (Jan 19-Feb 12) they *decided* to
shut down their RA program."
("we have made the decision to terminate our partner RA program. We will
continue to work with select partners that have local market contacts and
expertise to facilitate an interface with customers and collection of relevant
documentation, however Symantec personnel will validate 100% of all asserted
identity data and control certificate issuance going forward. We have
communicated this change to each of our RA partners, we are finalizing a
transition plan, and intend to implement that transition quickly.")
Their latest update (approximately 3 months from the initial report) is that
"Symantec announced the decision to wind down the RA program for publicly
trusted SSL/TLS."
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/dVMxrUVygS0/xeUCJ1kmDQAJ
While Symantec re-validating each issued cert from their RA's is good, and it
appears CrossCert is fully terminated, they clearly have not "shut down their
entire RA program."
On Tuesday, April 11, 2017 at 12:53:56 PM UTC-4, Gervase Markham wrote:
> On 11/04/17 17:34, Ryan Sleevi wrote:
> > Can you clarify what issues you believe this to be related?
>
> That is a fair question. And also hard work to answer :-)
>
> > Given that Symantec has a routine habit of exceeding any reasonable
> > deadline for response, at what point do you believe it is appropriate for
> > the Mozilla Root Store to begin discussing what steps can or should be
> > taken with respect to the documented and supported incidents, which
> > Symantec has not provided counter-factual data?
>
> Yes, fair enough. Rick and Steve: I will be taking Symantec's statements
> to this group as of one week from today as the sum total of what you
> have to say on the subjects under discussion. After that point, we will
> draw conclusions based on the available data and decide on what course
> of action we may take. I hope that by then you will be able to answer my
> 8 questions, and provide responses or comments to any of Ryan's or other
> people's questions that you wish to address.
>
> Kathleen is on vacation this week, and so no decisions could be taken
> until next week at the earliest anyway.
>
> > It's unclear from your remark "Started to draw some conclusions where that
> > is warranted" what you see as the process and next steps. Perhaps you could
> > clarify what you imagine happening next, and on what timeline, to provide
> > clarity both to Symantec and the general population here. I must admit, I'm
> > quite confused as to where things stand, given that many items have
> > conclusions to them.
>
> See above. After one week, I will be taking stock of the assembled
> evidence, and will invite community members also to draw conclusions. I
> will then present a recommendation for what we should do next. As you
> know, Mozilla's process is a little fuzzy around the edges, but Kathleen
> is the final decision maker. (And she doesn't always agree with me :-)
>
> > With respect to the conclusion to Issue T "Symantec's reaction to the
> > discovery of these problems was unarguably swift and comprehensive.", I
> > would disagree with this. Symantec's response was not swift, relative to
> > other CAs that have been informed of issues. It was not comprehensive -
> > Symantec failed to identify the issues until question, and still maintains,
> > in the latest response, that there is a conclusion unsupported by the
> > evidence they have shared with the community. Their timeline for
> > responsiveness was not swift - we're still discussing this specific issue,
> > and it was first reported on Issue T. I would be happy to find evidence of
> > issues from other CAs that demonstrate a more thorough response or a more
> > timely response.
>
> Within a few days of discovering these issues they shut down their
> entire RA program. That seems pretty swift and comprehensive to me. The
> fact that they didn't discover these issues for years is clearly a
> problem, but it's not the same problem.
>
> > With respect to the conclusion to Issue T, "Their case is that WebTrust
> > audit monitoring should have been sufficient," it's unclear if you are
> > agreeing with that conclusion or simply stating Symantec claims.
>
> Stating Symantec's claims.
>
> > With respect to the conclusion to Issue V,
>
> That's not part of my conclusion, that's a quotation from Symantec which
> I need to check the accuracy of with Kathleen.
>
> > "to specifically address the
> >
Re: Symantec Issues doc updated
On Tue, Apr 11, 2017 at 12:53 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > "to specifically address the > > GeoRoot audit status and remediation plan" - this was not reflected > within > > https://www.symantec.com/content/en/us/about/media/ > repository/23_Symantec_GeoTrust_WTBR_period_end_11-30-2016.pdf > > , the relevant audit for the roots, ending on 2016-11-30. > > I'm a little confused - I think Symantec are saying that the cover > letter explains the plan to wind down the two sub-CAs, not that the > audit does? I believe you are correct that they are claiming the letter sent addresses that. I am highlighting, however, that such a statement was not recorded in their audit, despite it being a violation of the Baseline Requirements during the period of time in the audit. That is, if you are accepting that such a letter is relevant to the discussion (and I believe it's fair to consider it as part of that), then you should also consider as relevant to the conversation the failure to either disclose that to the auditors or for the auditors to note that (whichever it may be). ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Issues doc updated
On 11/04/17 17:34, Ryan Sleevi wrote: > Can you clarify what issues you believe this to be related? That is a fair question. And also hard work to answer :-) > Given that Symantec has a routine habit of exceeding any reasonable > deadline for response, at what point do you believe it is appropriate for > the Mozilla Root Store to begin discussing what steps can or should be > taken with respect to the documented and supported incidents, which > Symantec has not provided counter-factual data? Yes, fair enough. Rick and Steve: I will be taking Symantec's statements to this group as of one week from today as the sum total of what you have to say on the subjects under discussion. After that point, we will draw conclusions based on the available data and decide on what course of action we may take. I hope that by then you will be able to answer my 8 questions, and provide responses or comments to any of Ryan's or other people's questions that you wish to address. Kathleen is on vacation this week, and so no decisions could be taken until next week at the earliest anyway. > It's unclear from your remark "Started to draw some conclusions where that > is warranted" what you see as the process and next steps. Perhaps you could > clarify what you imagine happening next, and on what timeline, to provide > clarity both to Symantec and the general population here. I must admit, I'm > quite confused as to where things stand, given that many items have > conclusions to them. See above. After one week, I will be taking stock of the assembled evidence, and will invite community members also to draw conclusions. I will then present a recommendation for what we should do next. As you know, Mozilla's process is a little fuzzy around the edges, but Kathleen is the final decision maker. (And she doesn't always agree with me :-) > With respect to the conclusion to Issue T "Symantec's reaction to the > discovery of these problems was unarguably swift and comprehensive.", I > would disagree with this. Symantec's response was not swift, relative to > other CAs that have been informed of issues. It was not comprehensive - > Symantec failed to identify the issues until question, and still maintains, > in the latest response, that there is a conclusion unsupported by the > evidence they have shared with the community. Their timeline for > responsiveness was not swift - we're still discussing this specific issue, > and it was first reported on Issue T. I would be happy to find evidence of > issues from other CAs that demonstrate a more thorough response or a more > timely response. Within a few days of discovering these issues they shut down their entire RA program. That seems pretty swift and comprehensive to me. The fact that they didn't discover these issues for years is clearly a problem, but it's not the same problem. > With respect to the conclusion to Issue T, "Their case is that WebTrust > audit monitoring should have been sufficient," it's unclear if you are > agreeing with that conclusion or simply stating Symantec claims. Stating Symantec's claims. > With respect to the conclusion to Issue V, That's not part of my conclusion, that's a quotation from Symantec which I need to check the accuracy of with Kathleen. > "to specifically address the > GeoRoot audit status and remediation plan" - this was not reflected within > https://www.symantec.com/content/en/us/about/media/repository/23_Symantec_GeoTrust_WTBR_period_end_11-30-2016.pdf > , the relevant audit for the roots, ending on 2016-11-30. I'm a little confused - I think Symantec are saying that the cover letter explains the plan to wind down the two sub-CAs, not that the audit does? Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Issues doc updated
On Tue, Apr 11, 2017 at 6:49 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I have attempted to integrate the information provided by Symantec into: > https://wiki.mozilla.org/CA:Symantec_Issues > and started to draw some conclusions where that is warranted. > > There are of course still open questions from myself, Ryan and others, > and so the truth relating to some incidents is not yet clear. > Can you clarify what issues you believe this to be related? Many of my questions related to Symantec's approach to handling incidents, which were unaddressed or meaningfully deficient in ways that undermines trust substantially, but were limited related to the material facts. The only point where I believe Symantec disagreed with the summary was Issue W, but it does not appear Symantec was bothered to support that claim with objective data, rather than with statements. That is, that Symantec disagrees is useful to know, but if Symantec has failed to provide any evidence with that disagreement, I do not believe it should block reaching a conclusion. Given that Symantec has a routine habit of exceeding any reasonable deadline for response, at what point do you believe it is appropriate for the Mozilla Root Store to begin discussing what steps can or should be taken with respect to the documented and supported incidents, which Symantec has not provided counter-factual data? Does the Mozilla Root Program seek to consider the intent of the CA that violated the Baseline Requirements repeatedly for a span of several years? If so, does it have a process at which point it will stop considering feedback, versus allowing a CA to indefinitely delay meaningful action to protect users? It's unclear from your remark "Started to draw some conclusions where that is warranted" what you see as the process and next steps. Perhaps you could clarify what you imagine happening next, and on what timeline, to provide clarity both to Symantec and the general population here. I must admit, I'm quite confused as to where things stand, given that many items have conclusions to them. With respect to the conclusion to Issue T "Symantec's reaction to the discovery of these problems was unarguably swift and comprehensive.", I would disagree with this. Symantec's response was not swift, relative to other CAs that have been informed of issues. It was not comprehensive - Symantec failed to identify the issues until question, and still maintains, in the latest response, that there is a conclusion unsupported by the evidence they have shared with the community. Their timeline for responsiveness was not swift - we're still discussing this specific issue, and it was first reported on Issue T. I would be happy to find evidence of issues from other CAs that demonstrate a more thorough response or a more timely response. With respect to the conclusion to Issue T, "Their case is that WebTrust audit monitoring should have been sufficient," it's unclear if you are agreeing with that conclusion or simply stating Symantec claims. With respect to the conclusion to Issue V, "to specifically address the GeoRoot audit status and remediation plan" - this was not reflected within https://www.symantec.com/content/en/us/about/media/repository/23_Symantec_GeoTrust_WTBR_period_end_11-30-2016.pdf , the relevant audit for the roots, ending on 2016-11-30. Do you believe this should play in with any determination about the reliability of KPMG audits (to discover this) and/or to Symantec (to disclose this to their auditors)? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Symantec Issues doc updated
I have attempted to integrate the information provided by Symantec into: https://wiki.mozilla.org/CA:Symantec_Issues and started to draw some conclusions where that is warranted. There are of course still open questions from myself, Ryan and others, and so the truth relating to some incidents is not yet clear. Please let me know if you see that I have included anything inaccurate or misleading, or if an entry seems incomplete. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
