Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/Symantec Issues: Difference between revisions
Jump to navigation
Jump to search
→Issue V: GeoRoot Program Audit Issues (2013 or earlier - January 2017)
(First set of updates from Symantec) |
|||
| Line 230: | Line 230: | ||
==Issue V: GeoRoot Program Audit Issues (2013 or earlier - January 2017)== | ==Issue V: GeoRoot Program Audit Issues (2013 or earlier - January 2017)== | ||
Symantec runs a program called GeoRoot, where intermediate CAs have been created for the sole use and independent operation by specific customers at premises under their control. | Symantec runs a program called GeoRoot, where intermediate CAs have been created for the sole use and independent operation by specific customers at premises under their control. Some of these customers appear to have had a history of poor compliance with the BRs and other audit requirements. | ||
Over multiple years ([https://www.symantec.com/content/en/us/about/media/repository/symantec-webtrust-audit-report.pdf 2013-12-01 to 2014-11-30], [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf 2014-12-01 to 2015-11-30]), Symantec's "GeoTrust" audits were qualified to say that they did not have proper audit information for some of these GeoRoot customers. This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known. | Over multiple years ([https://www.symantec.com/content/en/us/about/media/repository/symantec-webtrust-audit-report.pdf 2013-12-01 to 2014-11-30], [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf 2014-12-01 to 2015-11-30]), Symantec's "GeoTrust" audits were qualified to say that they did not have proper audit information for some of these GeoRoot customers. This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known. | ||
| Line 242: | Line 242: | ||
===Symantec Response=== | ===Symantec Response=== | ||
* Symantec state: "Intel's subordinate CA, which expired in 2016, was not subject to audits either contractually or by previous agreements with both Mozilla and Microsoft given its limited use." -- Need to check with Kathleen. | |||
* Symantec state: "Symantec provided the letter quoted below to Google, Mozilla, Microsoft, and Apple when we shared the Point in Time Audits on September 6, 2016 to specifically address the GeoRoot audit status and remediation plan. That cover letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs." -- Need to check with Kathleen. | |||
If Symantec did indeed notify us of this situation and we made no comment, that is a relevant fact. | |||
===Open Questions=== | |||
* Does this mean the NTT DoCoMo intermediates were entirely unaudited for a period of years? | |||
==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)== | ==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)== | ||