I think it might be appropriate to have a further round of questions to
Symantec from Mozilla, to try and get some clarity on some outstanding
and concerning issues. Here are some _proposed_ questions; feel free to
suggest modifications or other questions, and I will decide what to send
officially to Symantec in a few days. Please focus on formulating
questions which would have an effect on Mozilla's view of Symantec or
our response to the recent issues.
RAs and EV
----------
1) Did any of the RAs in your program (CrossCert and co.) have the
technical ability to independently issue EV certificates? If they did
not not, given that they had issuance capability from intermediates
which chained up to EV-enabled roots, what technical controls prevented
them from having this capability?
2) We note that all four RAs advertised EV certificates on their
websites during 2016[0]. If they did not have direct EV issuance
capability, by what mechanism did they provide EV certificates to their
customers, and what validation (if any) did Symantec do of data provided
by the RAs?
Issue Y
-------
3) Does Symantec agree that "VeriSign Class 3 SSP Intermediate CA - G2"
and "Symantec Class 3 SSP Intermediate CA - G3", can issue certs which
are trusted for SSL/TLS in Mozilla products (by chaining up to "VeriSign
Universal Root Certification Authority") and yet do not have BR audits?
4) These two intermediates have a number of sub-intermediates. Does
Symantec agree that not all of these sub-intermediates are within the
scope of even Symantec's NFSSP Webtrust for CAs audit?[1] If so, how
many are in scope and how many are out of scope? If they are all in
scope, why are they not listed in the audit document?
5) A statement from Symantec[2] suggests that customers of your NFSSP
program can perform RA duties for the issuance of certs for Windows
domain controllers and those RA activities are outside the scope of the
audit entirely. Is that correct? Please list all companies or
organizations which can issue publicly-trusted SSL/TLS certificates with
no audit oversight.
6) "VeriSign Universal Root Certification Authority" is EV-enabled. Are
there any mechanisms, technical or otherwise, which prevent NFSSP
customers from issuing EV certs by including the Symantec EV OID?
7) Does Symantec agree that Issue Y is very serious? What are Symantec's
plans to remedy this? Why have they not been communicated up to now?
When will they be executed?
Audits
------
8) Please explain how the Management Assertions for your December 2014
-> November 2015 audits contain documentation of issues ("Failure to
maintain physical security records for 7 years", "Failure to review
application and system logs" and "failure to refresh background checks
every 5 years") that, according to you, were only discovered in January
or February 2016[3]. Is it not the case that you submit Management
Assertions to your auditor and they then opine upon the correctness of
those assertions? What is the "last change date" of those management
assertions? What point in the audit cycle does that date correspond to?
Issue L
-------
9) During the approximately five years that Symantec cross-signed the
Federal PKI, thereby making any certificate within it have a path to
trust in Mozilla browsers, which of the following best represented
Symantec's understanding of the situation:
a) Symantec didn't realise that your actions had the effect of making
the entirety of the FPKI trusted in Mozilla browsers; or
b) Symantec knew that your actions had the effect of making the entirety
of the FPKI trusted in Mozilla browsers and didn't realise the
implications for your own audits and disclosures and the WebPKI; or
c) Symantec knew that your actions had the effect of making the entirety
of the FPKI trusted in Mozilla browsers and did realise the
implications, but didn't think it was necessary to tell Mozilla about it
?
Gerv
[0]
http://web.archive.org/web/20161223000146/http://www.crosscert.com/
http://web.archive.org/web/20160428051833/https://www.certsuperior.com/SecureSiteProEV.aspx
http://web.archive.org/web/20161114232112/https://www.certisur.com/soluciones/sitios-seguros
http://web.archive.org/web/20161101111634/https://www.certisign.com.br/certificado-servidor/ssl-validacao-avancada
[1] The following intermediates, at least, are not listed in that audit
as being covered:
https://crt.sh/?id=19602740 1,
https://crt.sh/?id=19602709,
https://crt.sh/?id=19602733 3,
https://crt.sh/?id=19602720,
https://crt.sh/?id=19602670 5,
https://crt.sh/?id=19602679,
https://crt.sh/?id=19602705 7,
https://crt.sh/?id=19602730 .
[2]
https://bug1334377.bmoattachments.org/attachment.cgi?id=8860216 ,
section 2, first bullet numbered 2.
[3]
https://bug1334377.bmoattachments.org/attachment.cgi?id=8860216 ,
section 5.