Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/Symantec Issues: Difference between revisions
Issue D update
(Remove draft status again) |
(Issue D update) |
||
| Line 33: | Line 33: | ||
==Issue D: Test Certificate Misissuance (April 2009 - September 2015)== | ==Issue D: Test Certificate Misissuance (April 2009 - September 2015)== | ||
Between 2009 and 2015, Symantec issued a large number of test certificates in their publicly trusted hierarchies. These contained domains that Symantec did not own or control, and for which domain validation was not performed. Some of these domains were unregistered, and others were owned by other organizations. | Between 2009 and 2015, Symantec issued a large number of test certificates in their publicly trusted hierarchies. These contained domains that Symantec did not own or control, and for which domain validation was not performed. Some of these domains were unregistered, and others were owned by other organizations. Symantec assert that issuing test certificates for unregistered domains was not a BR violation before April 2014 (I am currently querying that assertion), but they continued the practice even after that date. The registered domains used included those belonging to Google and Opera Software. Given the numbers involved, this sort of test certificate issuance appears to have been common practice at Symantec. Some of the test certificates (including one for www.google.com) left Symantec's network because they were logged in CT. (Symantec claim that no certificates left their network; however, it's not clear how this can be true, and clarification is being sought.) However, Symantec personnel would have had access to the public and private keys of the certs. | ||
Some details of this incident are recorded in {{bug|1214321}}. | Some details of this incident are recorded in {{bug|1214321}}. | ||