On 14/07/16 04:02,
sanja...@symantec.com wrote:
> On Tuesday, July 12, Symantec erroneously produced and issued 8 SHA-1 certificates in support of one customer’s application to submit SHA-1 TBS Certificates to the CA/B Forum for a SHA-1 exception. Symantec has revoked the certificates.
Sanjay,
The final report [1] on Symantec's September 2015 "Test Certificates
Incident" noted that:
"One of these test certificates with a CN=
www.google.com was an
Extended Validation (EV) test certificate and was logged to public
Certificate Transparency (CT) log servers which is standard practice
by default for EV certificates issued by CAs."
That sentence must be referring to this precertificate:
https://crt.sh/?id=9314698
So, would it be fair to also classify these 8 SHA-1 precertificates as
"test certificates" ?
The final report [1] also noted (emphasis mine) that:
"3. *We thoroughly analyzed the nature of the test certificates, and
more importantly, the nature of how/why they were issued* – that
informed us of the true risks (e.g. whether the private keys and
certificates were exposed – which they were not). This root cause
analysis crystalized our remediation steps, and guided us on what
actions were necessary to prevent this from occurring again in the
future, augmenting the extensive technical controls and procedures
already in place.
4. *We identified and implemented changes to tools, processes, and
personnel to prevent this in the future*."
Why were the changes resulting from that internal process review
insufficient to prevent these 8 SHA-1 precertificates from being issued?
> An internal process review is underway.
<snip>
How many internal process reviews will it take to *actually* "prevent
this in the future" ?
[1]
http://www.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Update.pdf