Re: Symantec Response X
On 10/04/2017 16:58, Steve Medin wrote: Issue X: Incomplete RA Program Remediation (February - March 2017) The only Symantec RAs capable of authorizing and issuing publicly trusted SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur. Symantec continues to maintain a partner program for non-TLS certificates. E-Sign SA and MSC Trustgate are amongst these partners. Please note that the Mozilla root program covers both SSL/TLS and e-mail certificates (with slightly different inclusion policies). Thus while the CABF BR rules may not apply to e-mail certificates, Mozilla root program requirements do apply to such certificates and the roots that are trusted to issue them. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response X
On 11/04/17 17:51, Ryan Sleevi wrote: > Also, search SSL. Not TLS :) Aha! > Further, its CPS states > > "MSC Trustgate.com is a “Processing Center,” as described in CP § > 1.1.2.1.2, which > means MSC Trustgate.com has established a secure facility housing, among > other > things, CA systems, including the cryptographic modules holding the private > keys > used for the issuance of Certificates. MSC Trustgate.com acts as a CA in > the STN and > performs all Certificate lifecycle services of issuing, managing, revoking, > and > renewing Certificates. " That seems pretty clear. Perhaps Steve will be able to comment. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response X
On Tue, Apr 11, 2017 at 12:33 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > E-Sign's CPS URL is given in its audit statement as: > https://www.e-sign.cl/uploads/cps_esign_388.pdf > > Grepping that document for "TLS" gives no hits. Can you help me some more? > para Certificados de servidor Web - Table 4 Section 3.1.1.1 "subjectAltName" including type dNSName and iPAddress Also, search SSL. Not TLS :) > E-sign appear to be a Symantec SSL reseller: > https://www.e-sign.cl/soluciones/seguridad > but of course, I'm sure many companies are, and that's not necessarily a > problem. > Sure, but then such activities would not be audited or part of its CP/CPS, as that would be handled by the issuing CA that performs these roles. > > MSC Trustgate's audit statement gives no CPS URL. > https://cert.webtrust.org/SealFile?seal=2127=pdf https://www.msctrustgate.com/repository.htm https://www.msctrustgate.com/pdf/MSC%20Trustgate%20CPS%2001OCT2012%20V3%203%208%20final.pdf Which has Symantec's logo on it. And states "At this time, the domain-validated and organization-validated SSL Certificates issued by MSC Trustgate.com CAs under this CP are governed by the CABF Requirements. " Further, its CPS states "MSC Trustgate.com is a “Processing Center,” as described in CP § 1.1.2.1.2, which means MSC Trustgate.com has established a secure facility housing, among other things, CA systems, including the cryptographic modules holding the private keys used for the issuance of Certificates. MSC Trustgate.com acts as a CA in the STN and performs all Certificate lifecycle services of issuing, managing, revoking, and renewing Certificates. " ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response X
On 11/04/17 16:23, Ryan Sleevi wrote: > The audits mention the CP/CPS has been evaluated as part of the scope of > the audit. Yep, OK. > The CP/CPS mentions the issuance of TLS certificates as part of the > hierarchy. For example, > > "E-Sign provides its services in accordance with its Certificate Policy and > Certification Practices Statement" E-Sign's CPS URL is given in its audit statement as: https://www.e-sign.cl/uploads/cps_esign_388.pdf Grepping that document for "TLS" gives no hits. Can you help me some more? E-sign appear to be a Symantec SSL reseller: https://www.e-sign.cl/soluciones/seguridad but of course, I'm sure many companies are, and that's not necessarily a problem. MSC Trustgate's audit statement gives no CPS URL. https://cert.webtrust.org/SealFile?seal=2127=pdf However, it certainly appears to be true that this company offers a "Managed PKI for SSL" product: https://www.msctrustgate.com/pdf/ManagedPKIforSSL_Agreement.pdf and that they offer "VeriSign Class 3 organizational SSL Certificate"s, and lets organizations apply for RA status within the Verisign Trust Network. The modification date of that document according to the webserver is 15th March 2012. https://www.msctrustgate.com/product/ssl_id.htm also shows this. They also have a Subscriber Agreement for SSL certificates: https://www.msctrustgate.com/pdf/Class%203%20Organizational%20Certificate%20latest%20pdf.pdf which are also "Symantec Class 3 organizational SSL Certificate"s. The "Buy", "Renew" etc. links on the front page of https://www.msctrustgate.com/ for SSL certs are all 404. According to archive.org, they may have been that way for some time. Odd... Steve? Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response X
On Tue, Apr 11, 2017 at 6:21 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan, > > On 10/04/17 17:20, Ryan Sleevi wrote: > > 1) You stated that this partner program applies to non-TLS certificates. > > The audit for both STN and for the RAs fails to make this distinction. > For > > example, audits are listed related to the issuance of of TLS > certificates. > > The audits linked to from the wiki page relating to E-Sign and MSC > TrustGate don't seem to have any mention of TLS certificates. Can you > explain which audits you are referring to above that do mention them? > The audits mention the CP/CPS has been evaluated as part of the scope of the audit. The CP/CPS mentions the issuance of TLS certificates as part of the hierarchy. For example, "E-Sign provides its services in accordance with its Certificate Policy and Certification Practices Statement" ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response X
Hi Ryan, On 10/04/17 17:20, Ryan Sleevi wrote: > 1) You stated that this partner program applies to non-TLS certificates. > The audit for both STN and for the RAs fails to make this distinction. For > example, audits are listed related to the issuance of of TLS certificates. The audits linked to from the wiki page relating to E-Sign and MSC TrustGate don't seem to have any mention of TLS certificates. Can you explain which audits you are referring to above that do mention them? > 2) What technical restrictions, if any, exist to ensure that RAs do not > issue TLS certificates? This is a good question. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Symantec Response X
Issue X: Incomplete RA Program Remediation (February - March 2017) The only Symantec RAs capable of authorizing and issuing publicly trusted SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur. Symantec continues to maintain a partner program for non-TLS certificates. E-Sign SA and MSC Trustgate are amongst these partners. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy