| Misissued/Suspicious Symantec Certificates | Andrew Ayer | 19/01/17 13:46 | I. Misissued certificates for example.com
On 2016-07-14, Symantec misissued the following certificates for example.com: https://crt.sh/?sha256=A8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B9024A9B9DC3C4C6 https://crt.sh/?sha256=8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426CF48A6117BFBFA https://crt.sh/?sha256=94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E78B5679EAF48 https://crt.sh/?sha256=C69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311C2D2794BFCD11 I confirmed with ICANN, the owner of example.com, that they did not authorize these certificates. These certificates were already revoked at the time I found them. II. Suspicious certificates for domains containing the word "test" On 2016-11-15 and 2016-10-26, Symantec issued certificates for various domains containing the word "test" which I strongly suspect were misissued: https://crt.sh/?sha256=b81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0d416bbd21 https://crt.sh/?sha256=f45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c9973f11b841 https://crt.sh/?sha256=bcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7c0776cd0b https://crt.sh/?sha256=f0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba07fe872559 https://crt.sh/?sha256=3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf4672c35652a5 I have not attempted to contact the owners of these domains for confirmation, as doing so is probably not feasible (many of the domains are owned by squatters). However, the following facts lead to me to believe that these certificates were misissued: 1. The subject DNs contain clearly bogus values, such as: C=KR, ST=1, L=1, O=12, OU=1 C=KR, ST=1, L=1, O=1, OU=1 C=KR, ST=1, L=1, O=12, OU=1 C=KR, ST=Test1, L=Test, O=Test Note that the misissued example.com certificates also contain C=KR in their subjects. 2. The third certificate in the list above contains a SAN for DNS:*.crosscert.com - note that three of the misissued example.com certificates contain "Crosscert" in their Subject Organization. 3. None of these certificates have been observed in the wild by Censys. The live certificate for www.test.com was issued by Network Solutions. 4. The first two certificates in the list above both contain DNS SANs for *all* of the following domains: test.com test1.com test2.com test3.com test4.com test5.com test6.com test7.com test8.com test9.com test11.com With the exception of test4.com and test8.com, these domains are registered to different entities and appear to be wholly unrelated with one another in both ownership and operation. It is unlikely that the owners of these domains would collaborate to authorize these certificates. These certificates were already revoked at the time I found them. III. Certificates with O=Test Finally, Symantec has issued a large number of certificates with the following attributes in the Subject: C=KR, ST=test, L=test, O=test, OU=test e.g.: https://crt.sh/?sha256=09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB3571508EF6D31DD30 https://crt.sh/?sha256=CC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B47804874734CFC1C https://crt.sh/?sha256=F177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41913FC9D9B45 https://crt.sh/?sha256=DA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05FB7C7C6B2A761 For more, see: https://crt.sh/?O=test I doubt there is an organization named "test" located in "test, Korea." Regards, Andrew |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 19/01/17 15:46 | Andrew, thank you for your efforts to report this issue. We are
investigating and will report our resolution, cause analysis, and corrective actions once complete. Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation > https://clicktime.symantec.com/a/1/LyhH99FiQBwyOqKcts8QGJ75k6 > TPEC_N7jOPRSjGhkA=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DA8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B902 > 4A9B9DC3C4C6 > https://clicktime.symantec.com/a/1/_X1- > P9bvSq0r_QG43YQ6BwhHeeRl4IrY8ebwWh9HWiQ=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426C > F48A6117BFBFA > https://clicktime.symantec.com/a/1/1ux2sxPZpTNuRjN4JV5qOj0550 > RDi16i7NLrqi0eFaY=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E > 78B5679EAF48 > https://clicktime.symantec.com/a/1/YT02EQBzJ13G0VwF_VLruHbKA > Ep4LXe40icNc0DLwUA=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DC69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311 > C2D2794BFCD11> https://clicktime.symantec.com/a/1/_0lsjfT3DHqxu1QJl2eBU5zx948r > qJmGy-bHkTlww3c=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Db81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0 > d416bbd21 > https://clicktime.symantec.com/a/1/uF90PPzN7N3_lTMmPb8YzXKK > AfWPKKNmpvo_prjlE3Y=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Df45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c99 > 73f11b841 > https://clicktime.symantec.com/a/1/ezbB2-8KqYUHyXjQx5B- > Vwf6tJJiGin6RaC_rwMyM7Y=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Dbcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7 > c0776cd0b > https://clicktime.symantec.com/a/1/DvhFK5KhEvCMzdYbMfWcMszP > yUmwumBtBw7KULICQNk=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Df0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba0 > 7fe872559 > https://clicktime.symantec.com/a/1/bVc- > 6BOqerbwbrXUNbJu8pE6Vy80A5iky_MQqAMWgaA=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf46 > https://clicktime.symantec.com/a/1/uZoiIkm1yJ- > wqrsj50BAsLnMXK8PZ3NxcouYQEZu9FQ=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB35715 > 08EF6D31DD30 > https://clicktime.symantec.com/a/1/s2LLW3OI_Iy8EHFssVpBCwNmh > ZYy1Fj3Jzz9JIZSFpQ=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DCC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B4780 > 4874734CFC1C > https://clicktime.symantec.com/a/1/A3K4rj0hMWJHEL8Gwbg3A3_fK > cWxBCrko0KsDdX3jPw=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DF177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41 > 913FC9D9B45 > https://clicktime.symantec.com/a/1/8BpzYG4IsDaFzKnBM5ZFLCABF6 > 94TPWDHnQRABD_Yps=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DDA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05F > B7C7C6B2A761 > > For more, see: > > https://clicktime.symantec.com/a/1/_sbN9qKZDejSAj1U7evxJlBm83 > RyY17fLL1MikfsplM=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3FO%3Dtest >> _______________________________________________ > dev-security-policy mailing list > dev-secur...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 21/01/17 06:09 | On Thursday, 19 January 2017 21:46:38 UTC, Andrew Ayer wrote:Crosscert aka Korea Electronic Certification Authority, Inc. has applied to the Mozilla root programme and was identified as a "Super CA" which I understand to mean that they themselves just sign other CA certificates for third parties. Of course these certificates were issued by Symantec as a member of Mozilla's root programme, all responsibility for ensuring their CA doesn't issue bogus certificates lies with Symantec, not with Crosscert. |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 21/01/17 06:35 | The listed Symantec certificates were issued by one of our WebTrust audited
partners. We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline - these certificates each had "O=test". Our investigation is continuing. > 2. The third certificate in the list above contains a SAN for |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 23/01/17 17:59 | Steve,
While I understand that your investigation is ongoing, this does seem extremely similar, if not identical, to Symantec's previous misissuance. In that previous incident, Symantec took a number of steps - beginning with reportedly immediately terminating the employees responsible and then continuing to a comprehensive system overhaul, as detailed at https://www.symantec.com/page.jsp?id=test-certs-update# What is particularly concerning here is that your current explanations suggest that either they are incomplete, or that Symantec's previous answers were either misleading or incorrect. This is extremely concerning, and I'm hoping you can clarify with answers to the following questions, independent of your ongoing investigation and as soon as possible: 1) In response to the previous incident, Symantec indicated they hold a "no compromise" bar for such breaches in the post titled "A tough day as leaders". [1] a) Do you believe that the steps to "reduce privileges" represent a consistent application of that standard? b) If not, what additional steps are you taking, consistent with your "no compromise" standard? 2) In response to the previous incident, Symantec indicated that the use of any privileged test tool would require senior leader justification from both QA and Production Operations teams and approvals from the heads of Engineering and Policy Compliance. [2] a) Did Symantec mean that this was limited to validations performed by Symantec, and not that of Registration Authorities fulfilling the duties pursuant to Section 1.3.2 of the Baseline Requirements? b) At the time Symantec made this statement, did Symantec have any Registration Authorities fulfilling the duties pursuant to Section 1.3.2 of the Baseline Requirements? c) If such a statement was meant to be limited to Symantec, and not that of Registration Authorities, why did Symantec not feel it was appropriate to highlight that it did not extend to activities performed by Registration Authorities? d) If such a statement was not meant to be limited to Symantec, was such a justification provided, and approvals granted, for the tool that allowed such Registration Authorities to issue these certificates? 3) In response to the previous incident, Symantec indicated a comprehensive review of issuance privileges was conducted to ensure only authorized personnel have the ability to issue certificates, and that a quarterly access review would be conducted to ensure this. [2] a) Did such comprehensive review include that of Registration Authorities? b) If not, why did Symantec not disclose that Registration Authorities were excluded? c) Is Symantec currently performing access reviews of Registration Authorities? d) If so, when does Symantec expect this to be completed? 4) In response to the previous incident, Symantec indicated it updated its internal policies and procedures for test certificates as used for commercial certificates. Further, it indicated that QA engineers and authentication personnel were trained on updated practices for test certificates. [2] a) Did Symantec include Registration Authorities in the scope of that training? b) If not, why did Symantec not disclose that Registration Authorities were excluded? c) If so, why did Symantec's corrective actions for the previous misissuance fail to prevent this continued misissuance? 5) You have indicated that you have at least one WebTrust audited partner capable of causing issuance using Symantec-operated CAs. a) Please provide a link to the audit results for each of these WebTrust audited partners. b) Have you suspended the capabilities of these partners until Symantec completes its investigation? c) If not, why not, and when do you expect to do so? 6) Does Symantec allow is Registration Authorities to deviate from the policies and standards set forth by its CP, CPS, and internal policies and controls? a) If not, why did Symantec fail to detect that its Registration Authorities were deviating from its policies for this long? b) If so, where does Symantec disclose this deviation within its CP and/or CPS? 7) When do you expect to provide the next update as to the ongoing investigation? If it is not within the next three days, why? Thank you for your time in answering each and every one of these questions and providing further details, so as to help inform the broader community as to the steps Symantec has taken and is taking to prevent continued misissuance contrary to the Baseline Requirements and the Mozilla CA Certificate Policy. [1] http://archive.is/Ro70U [2] https://www.symantec.com/page.jsp?id=test-certs-update |
| Re: Misissued/Suspicious Symantec Certificates | Hanno Böck | 24/01/17 01:38 | Hello,
I have a few observations to share about this incident, not sure how relevant they are. There are 4 "example.com" certificates related to this incident. There are 114 "O=test" certificates that I assume are related to this incident. This includes all certificates with a "Not Before" date of 2016-10 and later. crt.sh finds various older certificates with O=test from various CAs, but I guess they are unrelated. Issuers ======= The affected certificates were issued by three different intermediates owned by Symantec: Symantec Class 3 Secure Server CA - G4 thawte SSL CA - GeoTrust SSL CA - G3 Now Symantec told us these certificates were issued by one of their WebTrust partners. This got me curious if it's usual that Symantec gives their partners access to their systems in a way that they can use various different intermediates related to different brand names. This document here https://cert.webtrust.org/SealFile?seal=2168&file=pdf indicates that Korea Electronic Certification Authority Inc. ("CrossCert"), which is probably the partner Symantec is talking about, is allowed to issue certificates with these intermediates VeriSign Class 3 Secure Server CA - G3 VeriSign Class 3 International Server CA - G3 Symantec Class 3 Secure Server CA - G4 Which - as can be obviously seen - don't match. (nitpick: It seems the PDF doc has a bogus document title which looks like some changelog entry) Revocations =========== The 4 example certs were already revoked when Andrew Ayer made this incident public. From the 114 "O=test" certificates 62 were revoked at some point in 2016, so before the incident became public. 52 were revoked at some point in 2017. 37 of those were revoked on 2017-01-20, so directly afterthe incident got public. (I've counted this because in a statement sent to the media Symantec said that when they learned about this incident "most" certificates were already revoked. I feel I have a different definition of the word "most".) Other O=test certificates ========================= A quick run through other "O=test" certs: * "Cybertrust Japan Co.. Ltd." seems to have issued a large number of them, but a few checks indicate they are issued to domains they own. Not sure if that's still considered a problem, as "O=test" is obviously a bogus org, but at least they seem to not issue certs for other people's domains. * There's one cert issued by "SHECA" which is itself an intermediate signed by "UniTrust". It's issued for a public IP. UniTrust seems to be accepted by Apple+Microsoft, but not by Mozilla+Chrome. https://crt.sh/?id=32335050 -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |
| Re: Misissued/Suspicious Symantec Certificates | Andrew Ayer | 24/01/17 12:03 | Hi Hanno,
Thanks for sharing these. I found them interesting. I count 101 distinct O=test certificates with a notBefore date of 2016-10 or later (of these, 2 also have DNS name for *test*.com; also, there are 3 certs for *test*.com without O=Test). Might you be double-counting certs and their corresponding pre-certs? Regards, Andrew |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 26/01/17 09:52 | Steve,
Have you had a chance to review these questions? Considering that these are all about existing practices, and as a CA should be readily available and easy to answer, I'm hoping you can reply by end of day. Please consider this a formal request from Google as part of investigating this incident. |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 26/01/17 21:27 | Here is an attached PDF update regarding this certificate problem report.
> -----Original Message----- |
| Re: Misissued/Suspicious Symantec Certificates | Kathleen Wilson | 26/01/17 21:36 | On Thursday, January 26, 2017 at 9:27:52 PM UTC-8, Steve Medin wrote:The PDF file provided by Steven has been attached to this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1334377 Direct link to pdf file: https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038 Cheers, Kathleen |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 26/01/17 21:36 | The PDF that was stripped is available at
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038 On Thu, Jan 26, 2017 at 5:30 PM, Steve Medin <Steve...@symantec.com> wrote: > > -----Original Message----- |
| Re: Misissued/Suspicious Symantec Certificates | Jakob Bohm | 26/01/17 23:18 | (continuing top post for consistency)
For the certificates that are noted as "revoked on the day of issuance", it would (both in this and the general case), be more informative to state the revocation delay in a smaller unit of measure, such as hours (or even smaller if less than an hour). It is of cause noted, that most of the relevant timestamps are (or were at the time) recorded with a precision of 1s in published PKI objects, although parties outside the CA not have an easy way to obtain reliable copies of the revocation responses that the CA would have issued, and thus the timestamps of revocation becoming known to revocation-checking relying parties (which is different from the time that the revocation may have been also communicated to independent logging systems). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded |
| Re: Misissued/Suspicious Symantec Certificates | Jakob Bohm | 26/01/17 23:36 | (continuing top posting for consistency)
In order to clarify the potential risk/damage to the Web PKI, it would be useful to clarify the following in a later report (since this would require additional investigation): Were the web identities (DNS names etc.) in the category C, D, E and F certificates properly vetted as per the CP/CPS etc., the certificates simply replaced the vetted organization name with "test" in the X.500 distinguished name? Or were some of those issued for insufficiently (or actually incorrect) web identities? To the safety of the web PKI this makes a big difference, since if the web identities were properly and correctly vetted, then the only real danger was relying parties seeing the word "test" in some user interfaces instead of the real organization name, thus conferring less trust (failing closed). If on the other hand the web identities were insufficiently vetted, then the certificates conferred a security claim to relying parties not being shown or otherwise inspecting the O= field (failing open). |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 27/01/17 04:11 | Hi Steve,
Thanks for the update. Here are some questions: * It's not clear what the problem is with the issuance in category F. I don't see any mention of "dev119money.com" in Andrew's initial report. Can you explain (and provide a crt.sh link)? * Root Cause, bullet 2 refers to "certificates issued between July 2016 and January 2017"; is it correct that this corresponds to categories A (one of four certificates), B, D, E and F? * What processes, other than requiring and inspecting a WebTrust report, does Symantec have in place to ensure that its RAs behave in accordance with the CP and CPS of the Symantec-owned roots under which they are issuing? (Perhaps this will be covered in the report you will issue after the "additional follow-up" steps are completed?) * Do such processes include regular, occasional or any review of the audit logs which show the overriding of compliance failure flags? Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 27/01/17 09:43 | On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote:https://crt.sh/?id=48539119 appears to be the certificate in question. The certificate is clearly bogus in that it identifies the Subject O=test, OU=test, etc. yet real DNS names are included in the SANs. It is not clear to me either why this is different from Category D and so I too would appreciate more information from Steven about that. |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 28/01/17 18:28 | Symantec's auditors, KPMG, completed a scan of CrossCert certificates to
detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST, KPMG provided a report that listed 12 problem certificates that were not in Andrew Ayer's report. We began an investigation into that certificate problem report at 6:30pm PST Thursday. Six of the certificates contained numbers in the locality, two were street addresses and four were Bangladeshi postal codes appended to the city name. Six contained the word "test" in the organization, but were false positives for legitimate organization names. We completed our investigation of these 12 certificates by requesting archived documentation. CrossCert was unable to produce documentation to prove their validation as required under BR 5.4.1. We revoked all 12 certificates within 24 hours of becoming aware of CrossCert's BR 5.4.1 non-compliance. Our investigation continues. Links: https://crt.sh/?id=16869385 https://crt.sh/?id=11199825 https://crt.sh/?id=11633501 https://crt.sh/?id=11281299 https://crt.sh/?id=11283579 https://crt.sh/?id=12504637 https://crt.sh/?id=42016028 https://crt.sh/?id=13161832 https://crt.sh/?id=13161834 https://crt.sh/?id=13161835 https://crt.sh/?id=25211067 https://crt.sh/?id=47456180 |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 29/01/17 04:39 | On Sunday, 29 January 2017 02:28:53 UTC, Steve Medin wrote:Several of these certificates appear, on any surface inspection, to be legitimate certificates issued to real subscribers and yet presumably CrossCert was not able to document validation. So several thoughts arise, I appreciate that you might want to do more investigation before replying Steve, not least because there are quite a few questions here - and as always I welcome feedback from other participants meanwhile. 1. The six "false positive" certificates appear unremarkable except for the coincidence of including the word "test". If CrossCert can't produce documentation to show these were validated properly, it seems likely that many or even all certificates which Symantec had believed were validated by CrossCert in fact lack such documentation. Is that not so? 2. It had been my assumption, based on the CPS and other documents, that CrossCert was restricted in their use of Symantec's issuance function to C=KR, this is cold comfort for practical purposes in the Web PKI, but it would at least help us to scope any damage. The existence of certificates with C=BD in this list shows my assumption was wrong. How (if at all) can an outsider determine if in fact CrossCert caused issuance of a Symantec certificate ? Prior to Andrew's report what _mechanical_ constraints on CrossCert's issuance were in place, in particular any beyond those which were applied to Symantec's own issuances? For example, would it have been possible for them to cause issuance of a 5-year cert? A SHA-1 certificate? To choose specific serial numbers? 3. Since we have every reason to imagine that some (or even all) of the affected certificates were issued in good faith to legitimate subscribers, it would have been nice for Symantec to alert the subscribers when their certificates were revoked. Did Symantec do this? If not does Symantec have the capability to contact these subscribers itself (e.g. email addresses, phone numbers)? If not, does Symantec contractually require of RA partners that they provide a capability for Symantec to contact their subscribers, or relay a message chosen by Symantec on their behalf ? 4. Although BR 5.4.1 says that these records are to be kept by the CA and each Delegated Third Party the obligation is on the CA (here, Symantec) to make the records available to their auditors. Is it in fact the case that this investigation is the first time Symantec has asked Crosscert for such records ? Wasn't Symantec concerned that KPMG (in a routine audit) might ask to see these records but they didn't have them ? Might not other RA partners be affected similarly ? 5. As Symantec will know from its own experience, audits have not proved to be sufficient for detecting systematic non-compliance by CAs. What measures _beyond_ the Webtrust audit did Symantec have in place to detect non-compliance by an RA partner ? |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 30/01/17 03:10 | Hi Nick,
Could you point is at the parts of the CPS or other documents which led you to that belief? Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 30/01/17 04:51 | On Monday, 30 January 2017 11:10:00 UTC, Gervase Markham wrote:I examined a great many documents since Andrew's initial report. I think the document which originally caused me to form this incorrect assumption was CrossCert Certification Practice Statement Version 3.8.8 Effective Date: JUNE 29, 2012 this file was available from http://www.crosscert.com/symantec/certificationeng.pdf and is linked from the 2016 WebTrust audit report for CrossCert This document (which I will call CPS 3.8.8) contains a section 3.1.1 Type of Names which asserts "End-user Subscriber Certificates contain an X.501 distinguished name in the Subject name field and consist of the components specified in Table 5 below." Table 5 in CPS 3.8.8 says that the attribute Country (C) shall have the value “KR” or not used. It seemed to me that this document established that as a Relying Party I should conclude an end entity certificate with C=BD is not from CrossCert. Perhaps there's _another_ CPS somewhere else that says otherwise ? |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 30/01/17 06:35 | On 30/01/17 12:51, Nick Lamb wrote:That date is interesting. The BRs require CPSes to be revised yearly. That seems reasonably conclusive on the face of it. I'm sure Steve will have noted this point and I hope he will address it in any further update on the CrossCert situation. Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 30/01/17 09:36 | Steve,
As captured in our private mail exchange last week, Symantec's report fails to meaningfully address each or any of the questions I raised. Google considers it of utmost urgency that Symantec share the answers to these questions, posed a week ago, and based on Symantec's multiple public statements regarding the previous misissuance. Please confirm your receipt of these questions and your intent to provide an answer to the community by end of day, so that we can consider Symantec's answers when considering appropriate next steps to protect our users. In the absence of timely information from a CA following a misissuance, it's both necessary and reasonable to consider the worst as plausible. For your reference, https://groups.google.com/d/msg/mozilla.dev.security.policy/fyJ3EK2YOP8/chC7tXDgCQAJ |
| Re: Misissued/Suspicious Symantec Certificates | Andrew Ayer | 30/01/17 09:52 | I would appreciate confirmation from Steve, but note that dev119money.com
is not currently a registered domain name. Regards, Andrew |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 30/01/17 14:52 | On Monday, 30 January 2017 17:52:34 UTC, Andrew Ayer wrote:Ah yes, none of the names on that certificate currently exist in the Internet DNS: devhkhouse.co.kr and devhkautoloan.co.kr don't match anything either. Thank you for spotting this Andrew. However the names hkhouse.co.kr and hkautoloan.co.kr do exist, they are both currently registered to HK savings bank in the wealthy (and now internationally famous) Gangnam district of Seoul. 911money.com also exists, but appears to be owned by a sketchy US outfit, possibly just harvesting vaguely finance-related domains for re-sale. However, m911money.com is owned by HK savings bank too. HK Savings Bank has certificates from Symantec today, I do not know if CrossCert acted as RA for these certificates. So, I suppose that this certificate is essentially a typographical error on an enormous scale, like the (fictitious but popular) story that the UK's Guardian newspaper once managed to spell its own name in the masthead "Grauniad". On this basis I think it's reasonably likely that CrossCert is merely spectacularly incompetent, it (at least sometimes and perhaps always) did not validate DNS names before causing Symantec to issue a certificate and so as a result instead of typo-ridden applications being rejected because they wouldn't validate, bogus certificates were issued. Detecting such incompetence was Symantec's responsibility and we await any real information about why they failed to do that. |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 30/01/17 19:52 | Our response to questions up to January 27, 2017 has been posted as an
attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. The direct attachment link is: https://bugzilla.mozilla.org/attachment.cgi?id=8831933. The bug report contains additional documentation supporting our response. From: Ryan Sleevi [mailto:ry...@sleevi.com] Sent: Monday, January 30, 2017 12:36 PM To: Ryan Sleevi <ry...@sleevi.com> Cc: Steve Medin <Steve...@symantec.com>; Andrew Ayer <ag...@andrewayer.name>; mozilla-dev-s...@lists.mozilla.org Subject: Re: Misissued/Suspicious Symantec Certificates |
| Re: Misissued/Suspicious Symantec Certificates | Jakob Bohm | 31/01/17 10:41 | Glad you also answered the key question I posted some time ago (the
last one in the PDF). According to your answer it appears that the majority of problematic certificates were, to the WebPKI relying parties, correct and valid certificates that simply had the legal names of the certificate holders safely replaced by the non-confusing (in several languages) word "test". Such certificates, while they may technically violate one or more CP/CPS/BR rules, are not really dangerous, as they provide the information of a DV certificate with the stronger vetting of an OV certificate. However the incident seems to have revealed deeper and more serious issues such as bad vetting and failure to retain vetting records.
|
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 04/02/17 03:11 | On 31/01/17 04:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. Quoting that document: "Q: 4) In response to the previous incident, Symantec indicated it updated its internal policies and procedures for test certificates as used for commercial certificates. Further, it indicated that QA engineers and authentication personnel were trained on updated practices for test certificates. a) Did Symantec include Registration Authorities in the scope of that training? A: We did not train partners on an issue that pertained to a tool they could not access." -- That seems to miss the point of the question somewhat. The problem in the previous incident was poor practices surrounding the issuance of test certificates, not simply the tool that was used to issue them. 1) Did Symantec do any additional training for RAs regarding the issuance of test certificates after the last incident? If not, why not? Did Symantec believe that it was very unlikely for RA personnel to make the same mistakes or have the same misunderstandings of what was appropriate as Symantec's personnel? You also write: "Category C concluded prior to that last audit’s review period." 2) Is your understanding that, when WebTrust audits are sampling, they sample only certificates issued during the review period? Or should they be sampling certificates issued during the entire period covered by the audit? If the latter, did their sampling (3%, isn't it?) hit any Category C certificates? How many certificates were in the sample pool? 3) To be totally clear: would it be correct to say that up until this point, examining WebTrust audits was the only mechanism that Symantec used to _check_ the conformance of their RAs to Symantec's CP/CPS and other requirements? (I see you give them software, and docs, and training, but was this the only _checking_ mechanism?) New question: 4) Is there any reliable programmatic way of determining, looking only at the contents of the certificate or certificate chain, that a certificate was issued by CrossCert personnel using their processes, as opposed to by Symantec personnel or by another RA? We look forward to hearing the answers to these questions and further updates on the situation with CrossCert. Thanks, Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 04/02/17 05:33 | On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham <ge...@mozilla.org> wrote:Gerv, as the information Steve shared about their other RAs show, their issues with RAs are not limited to CrossCert, unfortunately. Check out the rest of the details included. Steve: Given the many issues very clear from CrossCert's CP/CPS, and the many audit issues disclosed in CertSuperior's report, I'd like to request that you also disclose the CP/CPS for these CAs. For example, CertiSign's CP/CPS is not immediately obvious to me as to what Symantec was relying on EY to audit. |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 04/02/17 06:38 | On 04/02/17 14:32, Ryan Sleevi wrote:Ouch. Thank you for drawing these to my attention; I had neglected to read them. Gerv |
| Re: Misissued/Suspicious Symantec Certificates | M H | 04/02/17 16:43 | As a side note to the main topic, I find it curious and a little disconcerting that the referred link to the E&Y assessement of CrossCert, (outlined in Point 2 of "Additional Follow-ups") found on the document linked by Steve (here :
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038 ) uses this web address for accessing the E&Y assessment: https://cert.webtrust.org/SealFile?seal=2168&file=pdf and that access this address gives a > Secured Connection Failure: SSL_ERROR_UNSAFE_NEGOTIATION status. This (webtrust) organisation which seems to run the role of certifying PKI distributing authorities (such as CrossCert, Symantec, etc) can't use a half decent security certificate for their own sites! Disappointing. p.s> Aferwards, running the address through SSLLabs Test it get's an F. See: https://www.ssllabs.com/ssltest/analyze.html?d=cert.webtrust.org Very Disappointing. Further information (you probably already know but just for competeness sake. >From their website: ----------------------------- What is the purpose of the WebTrust for CAs program The WebTrust for CAs program helps to ensure that proper procedures are followed in activities involving e-commerce transactions, public key infrastructure (PKI), and cryptography. In online trust and e-commerce transactions, confidentiality, authentication, integrity, and nonrepudiation are vitally important. These requirements are satisfied using PKI and SSL Certificates. A certification authority verifies the identity of an organization/entity and issues a certificate that the organization can use to prove their identity. CAs are taking an increasingly important role in the security of e-commerce. Although there are many national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied uniformly. The AICPA/CICA WebTrust Program for Certification Authorities ensures that specific policies are implemented and enforced. ----------------------------- And this organisation can't supply valid TLS certificates for their own websites? Jeeeeeeee |
| Re: Misissued/Suspicious Symantec Certificates | Peter Gutmann | 04/02/17 21:20 | Martin Heaps <mar...@mhcreations.co.uk> writes: >web address for accessing the E&Y assessment: That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the Peter. |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 05/02/17 01:48 | On 05/02/17 06:20, Peter Gutmann wrote:That machine definitely needs a webserver upgrade. Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 07/02/17 08:08 | Hi Steve,
It's now ten days later; are Symantec in a position to answer the next batch of questions, and also give us an update on the general progress of your investigation into CrossCert and any other RA difficulties you may have discovered? Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 08/02/17 01:52 | I contacted CPA Canada and got the following response:
"Thanks for your kindly worded note. We are aware of the deficiencies and have handed the issue over to the IT group at CPA Canada. They are in the process of making changes but there have been some other issues exposed in the process, for example, getting the program to operate on a new server. The IT group is working on this project currently but at the moment I don’t have a time frame for when changes can be made." Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 08/02/17 19:08 | On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham <ge...@mozilla.org> wrote: > On 31/01/17 04:51, Steve Medin wrote: > Quoting that document:Steve, To echo Gerv's remarks, the statement Symantec issued for the previous misissuance [1] stated: "Symantec has updated its internal policies and procedures to strongly reinforce that all test certificates must follow the same fulsome authentication procedures as commercial certificates." Section 9.8 of the Baseline Requirements, v1.4.2 states "For delegated tasks, the CA and any Delegated Third Party MAY allocate liability between themselves contractually as they determine, but the CA SHALL remain fully responsible for the performance of all parties in accordance with these Requirements, as if the tasks had not been delegated. " 1) Does Symantec believe that the original statement is sufficiently clear that it was limited solely to Symantec's role in validating, and did not extend to that of Delegated Third Parties? 2) Did Symantec management believe it was not necessary to notify and inform its Delegated Third Parties about the need and significance to conform to Symantec's CP and CPS, and of the necessity of ensuring that all issued certificates - regardless of mechanism - must follow the same fulsome authentication procedures? Similarly, the statement Symantec issued for the previous misissuance [1] stated: "Symantec updated its internal policies, procedures, and trainings to clarify the April 2014 change in the Baseline Requirements that removed authorization to issue certificates to unregistered domains." Your most recent response, [2], notes that: "RAs are required to follow the same policies as set forth in Symantec’s CP and CPS documents." Regarding Certisign: 3) The most recent version of Certisign's CP/CPS that I'm able to publicly confirm is http://vtn.certisign.com.br/repositorio/politicas/DPC_ da_Certisign.pdf , which is dated 2012. Is this the correct CP/CPS? 4) Can Symantec confirm that this is the CP/CPS that was audited? 5) Does Symantec believe that this CP/CPS is consistent with Symantec's update CP and CPS documents updated in response to the previous misissuance? 6) Does Symantec believe that the audit letter, indicated in [2], which clearly indicates that the effective criteria were based on "SSL Baseline Requirements Audit Criteria, Version 1.1", available at [3], represents a sufficient demonstration of conformance to Symantec's CP/CPS? 7) Does Symantec believe that the audit letter, indicated in [2], conducted by Ernst and Young Brazil, conforms with the professional obligations with respect to WebTrust licensing, and Symantec's obligation to ensure said compliance as part of its Delegated Third Party conformance to the Baseline Requirements' audit standards? Specifically, the requirement to use "WebTrust for CA - SSL Baseline with Network Security 2.0" for all audits whose periods begin after 1-Jul-14, which EY Brazil demonstrably did not follow? Regarding Certsuperior: Symantec has indicated that the 2016 audit of Certsuperior was qualified, as demonstrated in [4]. During Symantec's previous misissuance event, Symantec noted that: "We have also enhanced our compliance function by consolidating all compliance activities into a single group reporting directly to the head of our Website Security business unit. This change was made in January 2016; this new compliance structure includes enhanced identification, tracking, prioritization and resolution of compliance-related updates, which will help ensure that CA/Browser Forum rule changes are effectively implemented." 8) Was Symantec's compliance group involved in reviewing the qualified audit report findings? 9) Did Symantec's management or compliance group disclose this qualification to Mozilla? 10) Did Symantec's management or compliance group make its determination of Certsuperior's compliance to Symantec's CP/CPS using Certsuperior's publicly available CP/CPS, which Certsuperior's auditor, Deloitte, noted in [4] that "The policies, procedures, and agreements are not available for consultation." and that "The CPS published is illegible"? 11) If not, what CP/CPS did Symantec use, and how did Symantec ensure it was appropriately audited? 12) If so, how did you do so, when the auditors themselves were not able to? 13) Given Symantec's previous statements regarding "holding ourselves to a 'no compromise' bar" [5], and the numerous issues identified in [4], including an audit finding of "We noted roles of users that are not Trusted Roles with access to validation requests at the web application", a "lack of network segmentation for distinguishing between equipment with access to applications and that which are not part of the validation process", and that Certsuperior's network scans were "not performed with sufficient periodicity and had only ever been executed over the https://www.certsuperior.com website" and "were executed by personnel without technical skill, ethics code, or independence", why does Symantec still have an RA relationship with Certsuperior? 14) Does Certsuperior pay Symantec to engage as a Registration Authority? 15) If so, what does Symantec believe should be the reasonable interpretation relative to the continued trustworthiness of Symantec and Symantec's management of the fact that Symantec terminated employees for cause for being involved in misissuance, but has continued to engage in a business relationship with entities who have performed demonstrably worse, but which pay Symantec for that privilege? Regarding CrossCert: The audit report indicated in [6] directly states that the audited CP/CPS version of CrossCert is version 3.8.8, available at [7]. This version indicates it was "Published Date: June 29, 2012". This audit was performed by Ernst and Young, Korea. 16) Similar to Q3, is this the correct CPS? 17) Similar to Q5, does Symantec believe this CP/CPS, dated in 2012, is consistent with Symantec's CP/CPS, which was updated in response to past misissuances? Regarding Registration Authorities 18) Can you confirm that Symantec's response in [2] is correct and comprehensive for all brands directly and indirectly operated by Symantec, including, but not limited to, Verisign, Symantec, Thawte, GeoTrust, and RapidSSL offerings? 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur are the only Delegated Third Parties utilized by Symantec, across all Symantec operated CAs that are trusted by Mozilla products? We appreciate your attention to these questions and will thoughtfully consider a response to these questions if received no later than 2017-02-13 00:00:00 UTC. Thanks, Ryan [1] https://www.symantec.com/page.jsp?id=test-certs-update# [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 [3] http://www.webtrust.org/homepage-documents/item76002.pdf [4] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930 [5] http://archive.is/Ro70U [6] https://cert.webtrust.org/SealFile?seal=2167&file=pdf [7] http://www.crosscert.com/symantec/certificationeng.pdf |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 09/02/17 01:57 | On 09/02/17 03:07, Ryan Sleevi wrote:Mozilla also requests answers to these excellent questions under the same terms and, for the avoidance of doubt, interprets the above as the point in time between Sun 2017-02-12 and Mon 2017-02-13, rather than the point in time between Mon 2017-02-13 and Tue 2017-02-14. Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 09/02/17 17:23 | On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote:Maybe Ryan has better information than me, but I had assumed that in practice all the companies identified on their site as Symantec "Affiliates" offering SSL are or have been Delegated Third Parties under the BRs. https://forms.ws.symantec.com/verisign-worldwide/index.html I confess that I reached this supposition by Googling "Symantec Crosscert" and thinking about what I found, rather than through deep knowledge of Symantec's business or direct personal information. Symantec provides the following links for "affiliates" offering SSL https://www.acs.altech.co.za/symantec-pki https://www.egypttrust.com/ http://www.comsign.co.il/ http://www.verisign.co.jp/ http://www.crosscert.com/ http://www.itrus.com.cn/ http://www.msctrustgate.com/ http://www.mysecuresign.com/ http://www.niftetrust.com/ http://www.safescrypt.com/ http://www.adacom.com/ http://www.skyrr.is/ http://www.telefonica.es/ http://www.trustitalia.it/ http://www.certsuperior.com/ http://www.certisign.com.br/ http://www.certisur.com/ http://www.e-sign.cl/ Some of those were on Ryan's list above already, and some are defunct, but despite language barriers I think I was able to determine that some of the others are selling Symantec certificates. I suppose it's possible that they're merely acting as resellers and all validation etc. is done by Symantec, but I wanted to flag it up. |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 12/02/17 07:28 | A response is now available in Bugzilla 1334377 and directly at:
https://bugzilla.mozilla.org/attachment.cgi?id=8836487 |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 12/02/17 10:02 | On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote:Thanks for these responses Steve, I believe that Symantec's decision to terminate the RA Partner programme was a good one, not only in light of what's been found during this specific investigation, but also because it makes the CA function within Symantec simpler. It definitely feels as though some of the issues (big and small) with Symantec's CA function in the past few years grew out of complexity. Simpler systems are easier to correctly reason about and thus to manage properly. Simpler systems are also easier for the Root Programmes to oversee and for the Relying Parties to put their trust in. This group has fought against the presumption that "foreign" CAs are necessarily less trustworthy, but the fact is that a person who was happy with a Symantec certificate on the basis that it was issued by a famous US Corporation might have been very surprised to learn the decision to issue was actually taken by a company they've never heard of in Korea, or Brazil. Given Symantec's experiences here, I would recommend that Mozilla's routine letter to CAs might ask them if they have any similar programme and if so what measures they have in place to ensure their RAs or similar Third Parties are really living up to the standards Mozilla requires. Depending on the responses this might need further action from Mozilla. It would also make sense to ask about this during new CA enrollment. There's maybe a small piece of work here to figure out what sort of characteristics best distinguish something like Symantec's relationship with Crosscert from unremarkable business practices like corporate accounts to issue many certificates without them each being validated separately. |
| Re: Misissued/Suspicious Symantec Certificates | Eric Mill | 12/02/17 11:12 | Though Nick's email implies the announcement, for the benefit of the list,
here's Symantec's introduction at the top of their response: Based on our investigation of CrossCert, we have concerns due to (1) demonstrated non-compliance with processes and controls, (2) assertions of third party auditors that need far greater oversight than we previously expected, and (3) the fact that these issues have enabled cases of certificate mis-issuance. As a result, we have made the decision to terminate our partner RA program. We will continue to work with select partners that have local market contacts and expertise to facilitate an interface with customers and collection of relevant documentation, however Symantec personnel will validate 100% of all asserted identity data and control certificate issuance going forward. We have communicated this change to each of our RA partners, we are finalizing a transition plan, and intend to implement that transition quickly. In addition, to alleviate any concern by customers or relying parties on the integrity of the certificates issued by these RA partners, Symantec will review the validation work of 100% of issued certificates and revalidate any where we identify any deficiency. Certificates issued with deficient validation will be replaced and revoked. Our work will be included in scope of our next WebTrust audits. > _______________________________________________ > dev-security-policy mailing list > dev-secur...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> |
| Re: Misissued/Suspicious Symantec Certificates | Eric Mill | 12/02/17 11:27 | Also relevant are Symantec's statements about two E&Y regional auditors.
One section describes contradictions from E&Y KR (Korea) in describing why some CrossCert issuing CAs were not in scope: • The list of CAs in the audit was produced by CrossCert and given to E&Y KR as the scope to audit. It was not given to E&Y by Symantec. • E&Y KR initially stated that CrossCert did not fully disclose the list of CAs. E&Y KR later stated that CrossCert provided a list of all their issuing CAs but reduced the list of issuing CAs in scope of sampling for budgetary reasons. • Due to these conflicting statements and further discoveries explained below, Symantec will no longer accept audits from E&Y KR. And a second section is about contradictions and delays in describing the scope of an audit that E&Y BR (Brazil) performed on Certisign: E&Y BR produced two deficient letters regarding the 2014 and 2015 Certisign audits. Initially we received a letter that stated a January 1, 2014 to December 31, 2014 audit period in its introduction and a January 1, 2014 to December 31, 2015 audit period in its conclusion. The letter appeared to cover a two year period. We asked for clarification multiple times. That clarifying letter stated a 2015 audit period. E&Y BR does not meet our requirements for RA audit quality, timeliness, and responsiveness to our demands. Symantec will no longer accept audits from E&Y BR should we have a future need for in-market audit support. |
| Re: Misissued/Suspicious Symantec Certificates | Andrew Ayer | 12/02/17 12:17 | Hi Steve,
I have a few questions: 1. What criteria is Symantec using to determine if a certificate has a "deficiency" that warrants re-validation? 2. How will Symantec assess whether the domain(s) in a certificate were correctly validated? 3. Is any of the information gathered by processing agents used for domain validation? Regards, Andrew On Sun, 12 Feb 2017 15:27:42 +0000 Steve Medin via dev-security-policy <dev-secur...@lists.mozilla.org> wrote: > > -----Original Message----- |
| Re: Misissued/Suspicious Symantec Certificates | Kurt Roeckx | 13/02/17 01:06 | So after reading this, the following auditors aren't trusted by Symantec
anymore: - E&Y Korea - E&Y Brazil The following isn't trusted by Mozilla anymore: - E&Y Hong Kong This seems to be a worrying trend to me. Kurt |
| Re: Misissued/Suspicious Symantec Certificates | Peter Gutmann | 13/02/17 01:10 | Kurt Roeckx via dev-security-policy <dev-secur...@lists.mozilla.org> writes: >So after reading this, the following auditors aren't trusted by Symantec It's OK, E&Y have offices in 150 countries, it'll take years to go through Peter. |
| Re: Misissued/Suspicious Symantec Certificates | Nick Lamb | 13/02/17 02:10 | On Monday, 13 February 2017 09:06:02 UTC, Kurt Roeckx wrote:Almost certainly it would be wrong for us to look at these three data points and conclude from them that the main problem is EY itself. Not to say they can't do better, or be a key agent of change, but that I believe it would be an error to spend more than a small amount of effort on that. Symantec tripped themselves up here by relying on auditors to check something they were in an excellent position to examine for themselves. If local auditors are incompetent or corrupt and do not uncover policy deviations on the ground, such as lack of physical security or use of untrained staff then that is a problem and only improved audits can fix it. But when it came to issuance Symantec chose to examine audit results rather than look at their own systems to determine what was being issued. Likewise for the documentation capture - Symantec could have known months or years ago if CrossCert's validation was inadequate by seeing the evidence captured, rather than relying on the auditors to determine that. If CrossCert was actually operated by a pair of students from a flat in Amsterdam, but Symantec had been able to achieve confidence that it was adequately validating subject identities and documenting this work correctly it seems to me that the threat to the Web PKI from their deceit is rather modest. Doubtless Symantec would be very unhappy with this purported Korean company, but there wouldn't be bogus certificates out there that should never have been issued, just a bunch of red faces at Symantec. On the other hand, even if auditors flew in from London and New York and from each of the Big Four professional services networks to examine CrossCert's physical site in Korea and their implementation of policy on the ground, that's worthless if CrossCert are anyway still causing Symantec to issue "test" certificates for example.com and Symantec doesn't even detect it. However, I recall that for EY Hong Kong I asked Mozilla / Gerv to ensure the head office in London was informed of Mozilla's decision. I would recommend that Symantec should likewise inform the London head office of their decision. Notionally all the Big Four have global policy and consistency of service set from their head offices, and so that's the place to intervene if there really is anything to be done about the problem. Given the poor quality we've seen in the Big Four's multi-billion dollar financial audit work, compared to their success as almost universally the only firms to get any work from large multi-national companies another reason for my saying we shouldn't throw lots of effort at this part of the problem is that success is unlikely. There is a (disputed) saying in the Web PKI that "Revocation doesn't work". Likewise I would argue, "Audit doesn't work". |
| Re: Misissued/Suspicious Symantec Certificates | Gervase Markham | 13/02/17 04:49 | Hi Steve,
Thank you for this timely response. Mozilla continues to expect answers to all reasonable and polite questions posed in our forum, and is happy that Symantec is taking this approach. Here are some additional questions, although Mozilla as always reserves the right to ask more later. Some of my questions may be similar to those posed by other group participants. * What criteria are Symantec using to judge whether the validation of a particular certificate was deficient and needs redoing? Does this process rely on an assumption that any work logs kept by the RAs are accurate records of work actually done? * When you say "Symantec authorized CrossCert to issue certificates from each of the identified CAs", do you mean all five separate certificates listed to the left of this answer in the document? Or do you mean the top list? Or the bottom list? Or something else? * When the revalidation process is complete, will Symantec be reporting on how many certificates were unable to be revalidated? * Further to your third response, can you provide a list of the certificate fields which CrossCert did or did not have control over, and whether those fields had Symantec-side validation with compliance flagging, and whether those flags could be overridden? To show what I am after, such a list might hypothetically begin: - notBefore/notAfter: no direct control - Certificate duration: control, minimum 12 months, maximum 39 months - Hash algorithm: no control - Domain name: full control, Symantec-side validation, overrideable .... * You write: "Further, we have deployed support for, and honor Certification Authority Authorization across all systems to put control of authorized CA’s in the hands of customers". This is great news :-) >From what date has this been true? Can you confirm that CAA checking applies to all Symantec-owned brands? * Further to your answer about sampling sizes, what (in Symantec's experience) normally defines the sample size an auditor will use when sampling issued certificates during an audit? Is it a fixed number, or defined by the auditor, the issuer, or a dialogue between the two, or some other method? * http://vtn.certisign.com.br/repositorio/politicas/DPC_da_Cert isign.pdf is dated 2012. BRs section 2 say that the CP and CPS need to be annually updated. Do we understand that this did not happen in the case of Certisign? * Same question for CrossCert. Gerv |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 13/02/17 15:23 | On Mon, Feb 13, 2017 at 4:48 AM, Gervase Markham via dev-security-policy <Indeed Steve, thank you for your continued attention as we try to gain the information and understanding necessary to determine how best to protect users from misissued certificates. I note that Symantec's answer to question 1 in [1] reiterates that, in Symantec's view, the set of misissuance previously was solely related to a specific internal tool, and as such, the remediation steps Symantec engaged in focused on the process and controls related to that tool. I highlight this because it seems difficult to understand the distinction between the previous event and this current event, and understanding that distinction seems relevant to understanding whether the steps Symantec took previously were reasonable and complete to address this set of issues and the community trust, as well as understanding the steps Symantec is proposing or has taken in response to this current set of issues. In the previous misissuance event, my understanding is that Symantec asserts that the whole totality of the misissuance was related to a single, specific tool. Symantec's initial response [2] was to assert that the issue was limited to rogue actions of a few individuals contrary to Symantec's policies and procedures. The proposed remediation of this was a termination of relationship with those specific individuals. However, it was pointed out by browsers based on a simple cursory examination that such a statement was not consistent with the data - that the full set of issues were not identified by Symantec in their initial investigation, and only upon prompting by Browsers with a specific deadline did Symantec later recognize the scope of the issues. In recognizing the scope, it was clear that the issues did not simply relate to the use of a particular tool, but also to the practices of employees with respect to asserting that things were correct when they were not. A specific example is that the role of Validation Specialist - which is tasked with independently reviewing the certificate request for non-compliance - was designed in such a way that it could be bypassed or overridden without following the appropriate policies. These were actions independent of any particular tooling. These issues were then amplified by the fact that Symantec was failing to ensure that its policies and practices adhered to the appropriate version of the Baseline Requirements, and that employees and staff were trained on the appropriateness of ensuring the appropriate policies were followed, regardless of the tools being employed. In response to this issue, Symantec took a series of corrective steps, such as: - A comprehensive review of its Policies and Practices to ensure compliance with the Baseline Requirements, as requested in [3] (and available at [4]) - The establishment of a centralized Compliance team to ensure compliance across Symantec branded-CAs - Internal training, which on the basis of [1] appears to have been limited to a specific tool, rather than to the overall auditable criteria or policies In the current misissuance, my understanding is that Symantec asserts that the totality of the misissuance was related to RAs. Symantec's initial response to the set of questions posed by Google [5] indicated that " At this time we do not have evidence that warrants suspension of privileges granted to any other RA besides CrossCert" in the same message that provided the CP/CPS for other RAs besides CrossCert, and itself a follow-up to Symantec's initial response to the Mozilla community, [6], which acknowledged for the potential of audit issues in the statement "We are reviewing E&Y’s audit work, including E&Y’s detailed approach to ascertaining how CrossCert met the required control objectives.". This appears to be similar to the previous event, in that the proposed remediation was first a termination of relationship with specific individuals. However, in Symantec's most recently reply, [1], it seems that again, on the basis of browser questions from a simple cursory examination that such a statement was not consistent with the data - that is, that the full set of issues were not identified by Symantec in their initial investigation, and only upon prompting by Browsers with a specific deadline did Symantec later recognize the scope of the issues. In recognizing the scope, it was clear that the issues did not simply relate to the use of a particular RA or auditor, but also to the practices of RAs with respect to asserting things were correct when they were not. It appears that, similar to the Testing Tool's failure to ensure that certificates were adhering to the fulsome standards of authentication, Symantec's newly established compliance team was failing to perform even a cursory review of the CP, CPS, and audit statements presented - despite Symantec having found it necessary in that introspective process themselves in response to [3], as noted above. Symantec's also stated that, in response to the past misissuance, it deployed a compliance assessment tool, which functionally serves a role similar to a Validation Specialist. However, such compliance assessment was designed in a way that it could be bypassed or overridden without following appropriate policies. Further, as acknowledged in [1], even when Symantec noted that at least one of their RAs had identified specific deficiencies in practice and issuance, Symantec determined it was not appropriate to notify Root Stores or Mozilla of a "problem report". In response to the issues identified in Question 8 of [1], Symantec noted that one of their RAs was deficient in response to its "policies and business practices change in regards to verification procedures for issuing certificates", and allowed 90 days for the RA to remediate this. However, it does not appear Symantec took any corrective action for the period under audit - a year long period - to review any issued certificates during the period of deficiency. I highlight this because Mozilla's Policy [7], Item 5, requires such notification to certif...@mozilla.org, but Symantec acknowledges in Question 9 of [1] that it failed to do so. Symantec's proposed remediation for these issues appears to be limited to: - Suspend the use of RAs for independent validation of domain control and organizational information With this background in mind, and the comparisons highlighted, I do hope Symantec can consider the following questions: 1) Given that the Baseline Requirements require that Symantec accept full liability and responsibility for all actions by Delegated Third Parties, can Symantec please provide what were the specific steps and process Symantec's Compliance Team took in reviewing Registration Authorities prior to the detection of this misissuance? Specific example questions include: a) Did Symantec's compliance team independently assess the WebTrust licensing status of each received audit? b) Did Symantec's compliance team review the CP and/or CPS of each Delegated Third Party to independently assert compliance with the STN CP/CPS? 2) Given that Symantec has noted that RAs bore the capability to override the results of the compliance tool, can Symantec please provide details about every certificate Symantec has issued which has had the compliance check overridden? 3) Symantec noted in [5] that "Each certificate request is screened for BR compliance failure. Failures are flagged, preventing RA issuance until the flag is cleared." Can Symantec please confirm that "RA issuance" refers to the act of Symantec signing a TBSCertificate and producing a signed certificate, as opposed to any other interpretation, such as Symantec signed the certificate, but did not provide it to the RA until the flag was cleared? 4) Was the problematic audit, highlighted in Questions 10 and 11 of [1], CertSuperior's first audit as a Symantec RA? Stated differently, did Symantec engage in any business relationship with CertSuperior prior to the production of [8]? 5) Symantec's initial response to Mozilla, in [6], indicated that Symantec will be conducting "a review of our delegated RA controls and why we did not detect this problematic behavior before it was reported to us". What is the timeline for when this review will be completed and published? 6) Please provide the specific dates that Symantec engaged in a Delegated Third Party relationship with each of the RAs, so that the community can independently evaluate the 'scope of the issues' with respect to what certificates may be affected by the issues Symantec has disclosed. 7) Are there any elements in the above comparison between the past and present misissuance that Symantec believes are factually incorrect or unsubstantiated that Symantec would like to address or correct? More broadly, a set of questions exist for the community to be considering in evaluating Symantec's present and past responses, such as: - Whether the community believes Symantec adhered to the appropriate duty of care to review the CP, CPS, and audit reports produced for RAs, given Symantec's own experiences through participation in the Mozilla Community reviewing CP, CPSes, and audit reports of Symantec and other CA participants, the Mozilla policies related to disclosure of sub-CA's CP, CPS, and audit reports, and through Symantec's participation in the CA/Browser Forum, in which audit and audit issues has been a long-standing topic of discussion. - Whether the community believes Symantec's compliance team, which failed to detect these issues that were prominent and easily discovered, has demonstrated itself as an appropriate compensating control for either the past or present issues - Whether the community believes Symantec's statements regarding the scope of the issues - and the continued expansion of that scope - fully represent and contain the set of misissued certificates and the set of compliance issues - Whether the choice of Symantec to discontinue the use of RAs represents a sufficient mitigation for the past, existing and issued certificates - Whether the choice of Symantec to discontinue the use of RAs represents a sufficient and suitable mitigation for the possibility of future compliance issues that may be discovered or arise - What steps Symantec should take to reassure the Mozilla community of its ability to abide by the letter and the spirit of the Mozilla CA Certificate Policy if continuing to participate in the Mozilla CA Certificate program - What steps Mozilla should take regarding Symantec to reassure the Mozilla community of the appropriateness of continued trust in Symantec issued certificates, given the past and present issues [1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487 [2] http://archive.is/Ro70U [3] https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html [4] https://www.symantec.com/page.jsp?id=test-certs-update# [5] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 [6] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038 [7] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#inclusion [8] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930 |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 17/02/17 16:23 | Hi Steve,
Two more question to add to the list which is already pending: In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter, specifically in [3], questions 3 - 6, and while Symantec noted that it would case to accept future EY Brazil audits, I have confirmed with CPA Canada that at during the 2016 and 2017 periods, EY Brazil was not a licensed WebTrust practitioner, as indicated at [4]. Given that EY Brazil was not a licensed WebTrust auditor, it appears that Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1 [5], namely, that "(For audits conducted in accordance with the WebTrust standard) licensed by WebTrust", which is a requirement clearly articulated in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, ..." 1) Was Symantec's compliance team involved in the review of Certisign's audit? 2) Does Symantec agree with the conclusion that, on the basis of this evidence, Symantec failed to uphold the Baseline Requirements, independent of any action by a Delegated Third Party? [1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487 [4] http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx [5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf |
| Re: Misissued/Suspicious Symantec Certificates | uri...@gmail.com | 17/02/17 16:50 | On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:> [4] > http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx The footnote at the above makes that a little hard to understand-- "EY refers to a member firm of Ernst & Young Global Limited. Through a license with Ernst & Young Global Limited all EY members are licensed to provide WebTrust for Certification Authorities services." |
| Re: Misissued/Suspicious Symantec Certificates | uri...@gmail.com | 17/02/17 17:18 | Additionally "Ernst Young Brazil" was listed as late as March 20, 2016 apparently.
https://web-beta.archive.org/web/20160320161225/http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 17/02/17 19:19 | On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <Thanks for highlighting this. Indeed, while confirming the list was up to date, I had missed the footnote. The audit was dated 2017/01/24, so the historic status would be irrelevant. |
| Re: Misissued/Suspicious Symantec Certificates | uri...@gmail.com | 17/02/17 20:07 | Sure. The strange thing to me (and possibly not relevant to this thread) is how both can be true--all E&Y members worldwide are licensed to do WebTrust audits, yet E&Y Brazil was taken *off* the WebTrust list in the latest update.
I think http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx and https://web-beta.archive.org/web/20160320161225/http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx are possibly intended to be read differently. The old list giving specific named firms (or branches), by country (but saying it is a list of "global practitioners") the new list giving many fewer firms, but the country listing meaning...where they are active? If WebTrust revamped their approach to licensing, it might be good to know why/how and when. (And I don't see anywhere on their site where they discuss how they license auditors at all.) |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 17/02/17 20:33 | Our third response to questions, including these two below, is posted at Bugzilla, and directly at https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825.
From: Ryan Sleevi [mailto:ry...@sleevi.com] Sent: Friday, February 17, 2017 6:54 PM To: Ryan Sleevi <ry...@sleevi.com> Cc: Gervase Markham <ge...@mozilla.org>; mozilla-dev-s...@lists.mozilla.org; Steve Medin <Steve...@symantec.com> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve,[1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933<https://clicktime.symantec.com/a/1/6wJmuz5H2ktURSIGjev34ZuuQTad1LRVz1nIlADR7XE=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933> [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929<https://clicktime.symantec.com/a/1/pfZiLBH0rxpzxfeiB5YSfvWdOjwpHC72M_rUahZJxKQ=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929> [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487<https://clicktime.symantec.com/a/1/80dDdC7HC5yMdzxfwRS0saqQ2kS5Tvwuo_kNWaXWLCI=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487> [4] http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx [5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf<https://clicktime.symantec.com/a/1/7AUAkdAzUJ1un022RuP_TfjD3UiY12QGLjanVeGgxhk=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf> |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 22/02/17 20:33 | Hi Steve,
Thanks for your continued attention to this matter. Your responses open many new and important questions and which give serious question as to whether the proposed remediations are sufficient. To keep this short, and thereby allow Symantec a more rapid response: 1) Please provide the CP, CPS, and Audit Letter(s) used for each RA partner since the acquisition by Symantec of the VeriSign Trust Services business in 2010. > Cc: Gervase Markham <ge...@mozilla.org>; mozilla-dev-security-policy@ |
| Re: Misissued/Suspicious Symantec Certificates | Jeremy Rowley | 22/02/17 20:37 | Webtrust doesn't have audit criteria for RAs so the audit request may produce interesting results. Or are you asking for the audit statement covering the root that the RA used to issue from? That should all be public in the Mozilla database at this point.
|
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 22/02/17 20:48 | On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley <jeremy...@digicert.com>
wrote: Hi Jeremy, I believe the previous questions already addressed this, but perhaps I've misunderstood your concern. Quoting the Baseline Requirements, v.1.4.2 [1] , Section 8.4 "If the CA is not using one of the above procedures and the Delegated Thirdfound in Section 8.1, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement. If the opinion is that the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions. " Note that Symantec has already provided this data for the four RA partners involved for the 2015/2016 (varies) period, at [2]. Specifically, see the response to Question 5 at [3]. Again, referencing Question 5 at [3], and the overall topic of the thread, no, I am not asking for the audit statement covering the root that the RA used to issue from. I'm asking for the audit report, issued under the auditing standards that underlie the accepted audit schemes found inSection 8.1, that provides an opinion whether the Delegated Third Party's performance complies with either the Delegated Third Party's practice statement or the CA's Certificate Policy and/or Certification Practice Statement. [1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1334377 [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 |
| Re: Misissued/Suspicious Symantec Certificates | Jeremy Rowley | 22/02/17 21:22 | I am aware of the requirements but am interested in seeing how an RA that doesn't have their own issuing cert structures the audit report. It probably looks the same, but I've never seen one (unless that is the case with the previously provided audit report).
On Feb 22, 2017, at 8:48 PM, Ryan Sleevi <ry...@sleevi.com<mailto:ry...@sleevi.com>> wrote: |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 23/02/17 01:20 | I'm sorry, I'm still a little confused about how to understand your
response. I can't tell if you're discussing in the abstract - as in, you don't know how an Delegated Third Party would ever meet that definition, due to the absence of "auditing standards that underlie the accepted audit schemes found in Section 8.1" therefore you don't think what Symantec has been doing since 2010 is permitted by the Baseline Requirements at all, and they should have stopped five years ago. That implies you read through the links provided by Symantec so far of the four RAs that they assert were operating as Delegated Third Parties (which is the only way this could have been acceptable to begin with), but that you disagree that they're evidence of compliance with the restrictions on the Delegated Third Parties. Is this what you meant? Or if you mean something concrete - that is, that you literally are interested and curious, without any subtext. In that case, it implies you may not have checked the links in the message you were replying to yet, and this was more of an aside, rather than a direct question. If this was the case, do you think it's reasonably clear the question I'd asked of Steve? Or am I completely off the mark? I just want to make sure that the question I asked is clear and unambiguous, as well as making sure I'm not misunderstanding anything. On Wed, Feb 22, 2017 at 9:21 PM, Jeremy Rowley <jeremy...@digicert.com> wrote:
> On Feb 22, 2017, at 8:48 PM, Ryan Sleevi <ry...@sleevi.com> wrote: |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 24/02/17 16:51 | On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi <ry...@sleevi.com> wrote:Hi Steve, Have you had the opportunity to review and complete this? This is hopefully a simple task for your compliance team, given the critical necessity of maintaining of records, so I'm hoping that you can post within the next business day. Regards, Ryan |
| Re: Misissued/Suspicious Symantec Certificates | Peter Bowen | 24/02/17 17:12 | "auditing standards that underlie the accepted audit schemes found inThis is obviously a error in the BRs. That language is taken from Section 8.1 and there is no list of schemes in 8.1. 8.4 does have a list of schemes: 1. WebTrust for Certification Authorities v2.0; 2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI EN 319 411-1; 3. A scheme that audits conformance to ISO 21188:2006; or 4. If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements of one of the above schemes or (b) consists of comparable criteria that are available for public review. 1. is slight problematic as no scheme exists by that name, but "Trust Service Principles and Criteria for Certification Authorities Version 2.0" does exist, which is what I assume is meant. If we assume that audit scheme, my understanding is that the "auditing standards that underlie" the scheme is one of the following (which one depends on the date of the audit and the licensure of the auditor): (1) AT sec. 101 from SSAE No. 10/11/12 (AICPA) (2) AT-C sec. 205 from SSAE No. 18 (AICPA) (3) Section 5025 (CPA Canada) (4) CSAE 3000 (CPA Canada) (5) ISAE 3000 (IFAC) There should be no lack of auditing standards that underlie the Trust Service Principles and Criteria for Certification Authorities Version 2.0 audit scheme found in section 8.4. Thanks, Peter |
| Re: Misissued/Suspicious Symantec Certificates | Ryan Sleevi | 28/02/17 00:04 | Hi Steve,
I think we would have expected this would be fairly easy to obtain, given the record keeping requirements and the fact that these were relationships pre-existing to the Symantec acquisition. Can you speak to more about why the delay, and when Symantec expects this information to be available? |
| Re: Misissued/Suspicious Symantec Certificates | Santhan Raj | 28/02/17 09:45 | On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote:This is something that should be fixed in the BR and in fact both the audit schemes (WTCA & WTBR) should be listed in Section 8.4 (obviously WTCA by itself doesn't cover all BR requirements, only WTBR does). While your assumption is just, Section 1.6.3 has the following reference, so its hard to tell what the intent is. WebTrust for Certification Authorities , SSL Baseline with Network Security, Version 2.0, available at http://www.webtrust.org/homepage‐documents/item79806.pdf. |
| Re: Misissued/Suspicious Symantec Certificates | M H | 01/03/17 12:22 | On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote:404 - File or directory not found. |
| Re: Misissued/Suspicious Symantec Certificates | Daniel Boone | 01/03/17 13:03 | On 2017-03-01T12:22:32-0800, "Martin Heaps via dev-security-policy"
http://www.webtrust.org/homepage-documents/item79806.pdf The U+2010 in the link Santhan Raj posted should have been U+002D. |
| RE: Misissued/Suspicious Symantec Certificates | Steve Medin | 03/03/17 13:13 | Our fourth response to questions is posted at Bugzilla, https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
It includes two attachments at that bug: https://bugzilla.mozilla.org/attachment.cgi?id=8843448 https://bugzilla.mozilla.org/attachment.cgi?id=8843449 Sent: Wednesday, February 22, 2017 11:33 PM To: Steve Medin <Steve...@symantec.com> Cc: mozilla-dev-s...@lists.mozilla.org; ry...@sleevi.com; Gervase Markham <ge...@mozilla.org> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve,On Fri, Feb 17, 2017 at 8:32 PM, Steve Medin via dev-security-policy <dev-secur...@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: Our third response to questions, including these two below, is posted at Bugzilla, and directly at https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825<https://clicktime.symantec.com/a/1/maIs7jXt0tqwnz1Jx0AxZjkA8GILUQI09uuEhZICWEQ=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8838825>. From: Ryan Sleevi [mailto:ry...@sleevi.com<mailto:ry...@sleevi.com>] Sent: Friday, February 17, 2017 6:54 PMTo: Ryan Sleevi <ry...@sleevi.com<mailto:ry...@sleevi.com>> Cc: Gervase Markham <ge...@mozilla.org<mailto:ge...@mozilla.org>>; mozilla-dev-s...@lists.mozilla.org<mailto:mozilla-dev-security-policy@lists.mozilla.org>; Steve Medin <Steve...@symantec.com<mailto:Steve...@symantec.com>> Subject: Re: Misissued/Suspicious Symantec Certificates[1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933<https://clicktime.symantec.com/a/1/vG4MDB3hNsGYUc24ZpW7pdrPIan-c_b-D8RRJ1NfRP4=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933><https://clicktime.symantec.com/a/1/6wJmuz5H2ktURSIGjev34ZuuQTad1LRVz1nIlADR7XE=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933> [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929<https://clicktime.symantec.com/a/1/Co8ZRcNA5WX7mrzL3wgY5QAejUiQtttlSJB2E60z1RQ=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929><https://clicktime.symantec.com/a/1/pfZiLBH0rxpzxfeiB5YSfvWdOjwpHC72M_rUahZJxKQ=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929> [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487<https://clicktime.symantec.com/a/1/qzBrc0JUrrA2x3M0TM0G0hDZl4Mw5BjUIARUiy9xfgM=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487><https://clicktime.symantec.com/a/1/80dDdC7HC5yMdzxfwRS0saqQ2kS5Tvwuo_kNWaXWLCI=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487> [4] http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx [5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf<https://clicktime.symantec.com/a/1/L6psBNZ-UXLAKLVgVk9O_5t6JV9qi4unxaZUvPpURyI=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf><https://clicktime.symantec.com/a/1/7AUAkdAzUJ1un022RuP_TfjD3UiY12QGLjanVeGgxhk=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf> _______________________________________________ dev-security-policy mailing list dev-secur...@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy |