Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/Symantec Issues: Difference between revisions
Yet more work
(Further expansion) |
(Yet more work) |
||
| Line 35: | Line 35: | ||
==Issue XXX: Audit Issues For Symantec Itself (December 2014 - November 2015)== | ==Issue XXX: Audit Issues For Symantec Itself (December 2014 - November 2015)== | ||
All of Symantec's current audit reports can be found in their [https://www.symantec.com/about/legal/repository.jsp legal repository]. I don't believe they provide links to historic versions. Symantec's standard audit period is from December 1st to November 31st. We would therefore expect their 2016 audit to be available by now. However Symantec regularly only supplies their audit reports more than 180 days after the audit has been completed. The Baseline Requirements section 8.6 says that CAs SHOULD provide them in 90 days or fewer. Symantec is not the only CA which regularly supplies its audits late. | |||
# Issuance of Internal Server Names | The most recent available Baseline Requirements audits for Symantec's [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf GeoTrust roots] and their [https://www.symantec.com/content/en/us/about/media/repository/Symantec-Thawte-WTBR-2015.pdf Symantec and Thawte roots] run from December 1st, 2014 to November 30th, 2015. In those audits, the management assertions (and thereby the auditors) call out the following violations of the Baseline Requirements or Network Security Guidelines: | ||
# Issuance of Internal Server Names past the deadline date | |||
# Test certificates issued for domains Symantec did not own or control (see above) | # Test certificates issued for domains Symantec did not own or control (see above) | ||
# No audit report, or invalid audit report, obtained for 3 of 5 external partner sub-CAs | # No audit report, or invalid audit report, obtained for 3 of 5 external partner sub-CAs (GeoTrust only) | ||
# Failure to maintain physical security records for an appropriate period of time | # Failure to maintain physical security records for an appropriate period of time | ||
# Unauthorized employees with access to certificate issuance capability | # Unauthorized employees with access to certificate issuance capability | ||
# Failure to review application and system logs | # Failure to review application and system logs | ||
The [https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-WTCA-2015.pdf | The nost recent available WebTrust for CAs audits for Symantec's [https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-WTCA-2015.pdf Verisign and own-brand roots], their [https://www.symantec.com/content/en/us/about/media/repository/Thawte-WTCA-2015.pdf Thawte roots] and their [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTCA-2015.pdf GeoTrust roots] run from December 1st, 2014 to November 30th, 2015. In those audits, the management assertions (and thereby the auditors) call out the following violations: | ||
# Background checks not renewed for trusted personnel | # Background checks not renewed for trusted personnel | ||
# Unauthorized employees with access to certificate issuance capability | # Unauthorized employees with access to certificate issuance capability | ||
# Failure to maintain physical security records for an appropriate period of time | # Failure to maintain physical security records for an appropriate period of time (GeoTrust only) | ||
# Test certificates issued for domains Symantec did not own or control (see above) | # Test certificates issued for domains Symantec did not own or control (see above) | ||
Of these, only the 'background checks' issue is not a repeat of an issue raised in the BR audits. | |||
The most-recently available Extended Validation audits for Symantec's [https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-WTEV-2015.pdf Verisign and own-brand roots], their [https://www.symantec.com/content/en/us/about/media/repository/Thawte-WTEV-2015.pdf Thawte roots] and their [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTEV-2015.pdf GeoTrust roots] run from December 1st, 2014 to November 30th, 2015. In those audits, the management assertions (and thereby the auditors) call out the 'test certificates' and the 'physical security records' issues which are noted above. | |||
===Symantec Response=== | ===Symantec Response=== | ||
Each of the documents contains, in a following table, Symantec's comments on the qualifications and what they have done or are doing to remedy them. | |||
Mozilla did not object to these qualifications in Symantec's audits at the time the audit documentation was submitted to us. Because of this, it is not reasonable for us to take action based on the mere existence of these qualifications. They are listed here because they are one part of the general picture of Symantec's compliance or otherwise with the BRs. | |||
==Issue XXX: SHA-1 Issuance After Deadline (January 2016)== | ==Issue XXX: SHA-1 Issuance After Deadline (January 2016)== | ||
| Line 136: | Line 144: | ||
* Violation of CPS (use of non-KR country code) | * Violation of CPS (use of non-KR country code) | ||
Some of these misissuance were caused by employees of | Some of these misissuance were caused by employees of CrossCert overriding compliance flags in Symantec's issuance system. Symantec had no process in place to review the logs of overridden flags. For some of the certs, they contained domains neither Symantec nor CrossCert own or control, and CrossCert did not complete the appropriate domain validations for them. | ||
This incident is recorded in {{bug|1334377}}. | This incident is recorded in {{bug|1334377}}. | ||
| Line 142: | Line 150: | ||
===Symantec Response=== | ===Symantec Response=== | ||
Symantec made a number of comments on this issue - [https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038 0], [https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 1], [https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 2], [https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825 3], [https://bug1334377.bmoattachments.org/attachment.cgi?id=8843448 4]. | |||
The Baseline Requirements, in section 4.9.1.1 item 9, state that the CA SHALL revoke a certificate if "The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Poliy or Certification Practice Statement". However, Symantec did not revoke all the certificates. | |||
Instead, Symantec decided to shut down the RA program entirely and re-assess every certificate issued under it. Symantec committed to revalidating all of the CrossCert-issued certificates (10,000+) and any of the 20,000+ certificates issued by their other RAs if deficient validation was discovered. However, the determination of deficient validation was made based on the RAs own logs of activity, which may themselves be suspect given some of the audit deficiencies found at these RAs. Furthermore, this revalidation process, which presumably is continuing beyond the end of March deadline Mozilla has set for using only the ten defined domain methods in version 1.4.1 of the Baseline Requirements, is not one of those ten. | |||
===Further Comments and Conclusion=== | |||
When Symantec put various controls and restrictions in place following the previous "test cert" incident, those controls, checks and restrictions did not extend to their RA network. Symantec say that this is because the test tool used in the previous incident was not available to RAs; however, it does not seem to be a great leap to have looked for similar capabilities and problems elsewhere in their issuance process. | When Symantec put various controls and restrictions in place following the previous "test cert" incident, those controls, checks and restrictions did not extend to their RA network. Symantec say that this is because the test tool used in the previous incident was not available to RAs; however, it does not seem to be a great leap to have looked for similar capabilities and problems elsewhere in their issuance process. | ||
==Issue XXX: RA Program Audit Issues (2013 or earlier - January 2017)== | |||
==Issue XXX: RA Program Audit Issues (2013 or earlier - | |||
Symantec's RAs appear to have had a history of poor compliance with the BRs and other audit requirements, facts which were known to Symantec but not disclosed to Mozilla or dealt with in appropriately comprehensive ways. | Symantec's RAs appear to have had a history of poor compliance with the BRs and other audit requirements, facts which were known to Symantec but not disclosed to Mozilla or dealt with in appropriately comprehensive ways. | ||
| Line 154: | Line 166: | ||
Over multiple years ([https://www.symantec.com/content/en/us/about/media/repository/symantec-webtrust-audit-report.pdf 2013-12-01 to 2014-11-30], [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf 2014-12-01 to 2015-11-30]), Symantec's "GeoTrust" audits were qualified to say that they did not have proper audit information for some of these RAs. This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known. Also, other audit reports, despite being in hierarchies accessible for issuance by the same RAs, did not have similar qualifications ([https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-WTCA-2015.pdf Symantec Trust Network, 2014-12-01 to 2015-11-30]). | Over multiple years ([https://www.symantec.com/content/en/us/about/media/repository/symantec-webtrust-audit-report.pdf 2013-12-01 to 2014-11-30], [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf 2014-12-01 to 2015-11-30]), Symantec's "GeoTrust" audits were qualified to say that they did not have proper audit information for some of these RAs. This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known. Also, other audit reports, despite being in hierarchies accessible for issuance by the same RAs, did not have similar qualifications ([https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-WTCA-2015.pdf Symantec Trust Network, 2014-12-01 to 2015-11-30]). | ||
We currently know of four RAs who were in Symantec's program - CrossCert, Certisign, Certsuperior, and Certisur. | |||
[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930 Certsuperior's audit] is particularly dreadful: | |||
* There was no legible CPS; | * There was no legible CPS; | ||
| Line 161: | Line 175: | ||
* non-trusted staff had access to issuance. | * non-trusted staff had access to issuance. | ||
[https://cert.webtrust.org/SealFile?seal=2168&file=pdf CrossCert's audit] does not list or cover the full number of Symantec roots under which they had issuance capability. Symantec's investigation discovered that CrossCert had the scope of the audit reduced for cost reasons. | |||
[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 Certisign's audit] and [https://cert.webtrust.org/SealFile?seal=2067&file=pdf Certisur's audit] are only WebTrust for CAs audits - neither CA appears to have a Baseline Requirements audit, which is required for entities doing independent certificate issuance as they were. | |||
===Symantec Response=== | ===Symantec Response=== | ||
Symantec required the issues to be fixed and a 90-day action plan was executed to fix them. However, until they decided to shut down the RA program, no certificates issued during the period of suspect operations were checked to see if the poor practice had caused misissuance. | Symantec required the issues at CertSuperior to be fixed and a 90-day action plan was executed to fix them. However, until they decided to shut down the RA program, no certificates issued during the period of suspect operations were checked to see if the poor practice had caused misissuance. | ||
Despite the clear warning signs shown on the Certsuperior audit, Symantec did not put in place any monitoring of their RAs, other than audit, to check that they were correctly performing the tasks delegated to them under the BRs. There were some - overridable - technical checks on certificate issuance. | |||
Symantec appears to have taken no action to deal with that fact that Certisign and Certisur did not have the correct audits. | |||
Symantec did not notice that CrossCert's audits did not cover all the relevant roots until they did the RA investigation in early 2017. | |||
==Issue XXX: Incomplete RA Program Remediation (March 2017)== | ==Issue XXX: Incomplete RA Program Remediation (February - March 2017)== | ||
At the time Symantec shut down their RA program, they had four RAs - CrossCert, Certisign, Certsuperior, and Certisur. Symantec committed to revalidating all certificates issued by those RAs. Independent of the rightness or otherwise of this course of action, it should have been applied consistently. However, the program previously had additional RAs, and Symantec has as yet taken no action to revalidate the certificates that they issued, despite some still being valid. Those RAs include at least E-Sign (from [https://cert.webtrust.org/SealFile?seal=1873&file=pdf at least March 1st 2014] to [https://cert.webtrust.org/SealFile?seal=1931&file=pdf at least July 31st 2015]) and may include others. | At the time Symantec shut down their RA program, they had four RAs - CrossCert, Certisign, Certsuperior, and Certisur. Symantec committed to revalidating all certificates issued by those RAs. Independent of the rightness or otherwise of this course of action, it should have been applied consistently. However, the program previously had additional RAs, and Symantec has as yet taken no action to revalidate the certificates that they issued, despite some still being valid. Those RAs include at least E-Sign (from [https://cert.webtrust.org/SealFile?seal=1873&file=pdf at least March 1st 2014] to [https://cert.webtrust.org/SealFile?seal=1931&file=pdf at least July 31st 2015]) and may include others. | ||