MozillaWiki

CA/Symantec Issues: Difference between revisions

Page Discussion

CA/Symantec Issues (view source)

Revision as of 09:45, 11 April 2017

658 bytes added ,  11 April 2017
→‎Issue W: RA Program Audit Issues (2013 or earlier - January 2017)
Line 253: Line 253:
==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)==
==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)==


We currently know of four RAs who were in Symantec's program - CrossCert, Certisign, Certsuperior, and Certisur.
Symantec's RA program had four participating companies - CrossCert, Certisign, Certsuperior, and Certisur.


[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930 Certsuperior's audit] is particularly dreadful:  
[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930 Certsuperior's audit] is particularly dreadful:  
Line 262: Line 262:
* non-trusted staff had access to issuance.
* non-trusted staff had access to issuance.


[https://cert.webtrust.org/SealFile?seal=2168&file=pdf CrossCert's audit] does not list or cover the full number of Symantec roots under which they had issuance capability. Symantec's investigation discovered that CrossCert had the scope of the audit reduced for cost reasons.
[https://cert.webtrust.org/SealFile?seal=2168&file=pdf CrossCert's audit] does not list or cover the full number of Symantec roots under which they had issuance capability. Symantec did not notice this mismatch until their recent investigations, when they discovered that CrossCert had the scope of the audit reduced for cost reasons.


[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 Certisign's audit] and [https://cert.webtrust.org/SealFile?seal=2067&file=pdf Certisur's audit] are only WebTrust for CAs audits - neither CA appears to have a Baseline Requirements audit. The WebTrust audit criteria require that such a CA has a BR audit. In addition, Mozilla policy requires "CA operations and issuance of certificates to be used for SSL-enabled servers" to conform to the Baseline Requirements. As Symantec has stated that audit was their only mechanism for monitoring their RAs, they can have had no assurance that RAs without a BR audit were actually following the BRs.
[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 Certisign's audit] and [https://cert.webtrust.org/SealFile?seal=2067&file=pdf Certisur's audit] are only WebTrust for CAs audits - neither CA appears to have a Baseline Requirements audit. The WebTrust audit criteria require that such a CA has a BR audit. In addition, Mozilla policy requires "CA operations and issuance of certificates to be used for SSL-enabled servers" to conform to the Baseline Requirements. As Symantec has stated that audit was their only mechanism for monitoring their RAs, they can have had no assurance that RAs without a BR audit were actually following the BRs.
Line 268: Line 268:
===Symantec Response===
===Symantec Response===


Symantec required the issues at CertSuperior to be fixed and a 90-day action plan was executed to fix them. However, until they decided to shut down the RA program, no certificates issued during the period of suspect operations were checked to see if the poor practice had caused misissuance.
Symantec required the issues at CertSuperior to be fixed and a 90-day action plan was executed to fix them. However, until they decided to shut down the RA program, no certificates issued during the period of suspect operations were checked to see if the poor practice had caused misissuance. They have requested that their next audit include both WebTrust for CAs and WebTrust Baseline.


Despite the clear warning signs shown on the Certsuperior audit, Symantec did not put in place any monitoring of their RAs, other than audit, to check that they were correctly performing the tasks delegated to them under the BRs. There were some - overridable - technical checks on certificate issuance.
Symantec appears to have taken no action to deal with that fact that Certisign and Certisur did not have BR audits until recently, when they have requested that Certisign's next audit include both WebTrust for CAs and WebTrust Baseline. (They assert that Certisur's audits are in order; this is still being investigated.)


Symantec appears to have taken no action to deal with that fact that Certisign and Certisur did not have BR audits.  
Symantec did not notice that CrossCert's audits did not cover all the relevant roots until they did the RA investigation in early 2017.
 
===Further Comments and Conclusion===
 
Despite the clear warning signs shown on the Certsuperior audit, Symantec did not put in place any monitoring of their RAs, other than audit, to check that they were correctly performing the tasks delegated to them under the BRs. (There were some - overridable - technical checks on certificate issuance.)


Symantec did not notice that CrossCert's audits did not cover all the relevant roots until they did the RA investigation in early 2017.
Symantec's compliance department [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/Ga1bfOiJr70 appears not to have noticed] many or any of these audit scope problems until 2016. It is currently unclear how long these CAs were missing BR audits.


==Issue X: Incomplete RA Program Remediation (February - March 2017)==
==Issue X: Incomplete RA Program Remediation (February - March 2017)==
Gerv
Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1168007"