Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Add Issue Q
The set of circumstances which would have allowed this issue to be exploited (+ or = character in WHOIS, domain where arbitrary email address registration by 3rd parties is possible, necessary email address still available to register) are relatively rare, and Symantec fixed the issue quickly and performed appropriate remediation.
==Issue F: Symantec Audit Issues For Symantec Itself 2015 (December 2014 - November 2015)==
The most recent available 2015 Baseline Requirements audits for Symantec's [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf GeoTrust roots] and their [https://www.symantec.com/content/en/us/about/media/repository/Symantec-Thawte-WTBR-2015.pdf Symantec and Thawte roots] run from December 1st, 2014 to November 30th, 2015. In those audits, the management assertions (and thereby the auditors) call out the following violations of the Baseline Requirements or Network Security Guidelines:
# Issuance of Internal Server Names past the deadline date
# Failure to review application and system logs
The most recent available 2015 WebTrust for CAs audits for Symantec's [https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-WTCA-2015.pdf Verisign and own-brand roots], their [https://www.symantec.com/content/en/us/about/media/repository/Thawte-WTCA-2015.pdf Thawte roots] and their [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTCA-2015.pdf GeoTrust roots] run from December 1st, 2014 to November 30th, 2015. In those audits, the management assertions (and thereby the auditors) call out the following violations:
# Background checks not renewed for trusted personnel
Of these, only the 'background checks' issue is not a repeat of an issue raised in the BR audits.
The most-recently available 2015 Extended Validation audits for Symantec's [https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-WTEV-2015.pdf Verisign and own-brand roots], their [https://www.symantec.com/content/en/us/about/media/repository/Thawte-WTEV-2015.pdf Thawte roots] and their [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTEV-2015.pdf GeoTrust roots] run from December 1st, 2014 to November 30th, 2015. In those audits, the management assertions (and thereby the auditors) call out the 'test certificates' and the 'physical security records' issues which are noted above.
===Symantec Response===
Symantec's initial response was to get UniCredit to put in place controls to fix the violations found, and to review and replace any affected certificates. However, they continued to be without an audit. Symantec eventually asked them for one, and when they were unable to produce (presumably, pass) one, ordered them to stop issuing. However they continued, in violation of that agreement. Symantec then finally revoked their intermediate.
==Issue Q: Symantec Audit Issues 2016 (December 2015 - November 2016)==
Symantec's 2016 audit reports can be found in their [https://www.symantec.com/about/legal/repository.jsp?tab=Tab3 legal repository]. Symantec's standard audit period is from December 1st to November 31st. However, for 2016, they have split the audits into two roughly six-month periods, and had separate audit opinions issued for each.
As detailed in their [https://www.symantec.com/content/en/us/about/media/repository/Cover_Letter_for_WebTrust_Audit.pdf covering letter], the audits for the second period, June 16th to November 30th 2016, are mostly unqualified. The BR audits have a total of five qualifications, two of which relate to previously disclosed incidents which are not of concern, and three other qualifications which seem to be only of minor concern.
The audits for the first period contain many or all of the same issues as the 2015 audits (Issue F). One can surmise that Symantec chose to split the audits in order that they would not have a qualified audit covering the entirety of 2016. This does raise questions about how long the issues which led to these qualifications persisted.
===Symantec Response===
Each of the documents contains, in a following table, Symantec's comments on the qualifications and what they have done or are doing to remedy them.
==Issue R: Insecure Issuance API (2013 or earlier - November 2016)==
