Changes

Jump to: navigation, search

CA/Symantec Issues

563 bytes added, 09:30, 11 April 2017
Issue V: GeoRoot Program Audit Issues (2013 or earlier - January 2017)
==Issue V: GeoRoot Program Audit Issues (2013 or earlier - January 2017)==
Symantec runs a program called GeoRoot, where intermediate CAs have been created for the sole use and independent operation by specific customers at premises under their control. These Some of these customers appear to have had a history of poor compliance with the BRs and other audit requirements, facts which were known to Symantec but not disclosed to Mozilla or dealt with in appropriately comprehensive ways.
Over multiple years ([https://www.symantec.com/content/en/us/about/media/repository/symantec-webtrust-audit-report.pdf 2013-12-01 to 2014-11-30], [https://www.symantec.com/content/en/us/about/media/repository/GeoTrust-WTBR-2015.pdf 2014-12-01 to 2015-11-30]), Symantec's "GeoTrust" audits were qualified to say that they did not have proper audit information for some of these GeoRoot customers. This information was in their management assertions, and repeated in the audit findings. So the poor audit situation was ongoing and known.
===Symantec Response===
===Further Comments * Symantec state: "Intel's subordinate CA, which expired in 2016, was not subject to audits either contractually or by previous agreements with both Mozilla and Conclusion===Microsoft given its limited use." -- Need to check with Kathleen.* Symantec state: "Symantec provided the letter quoted below to Google, Mozilla, Microsoft, and Apple when we shared the Point in Time Audits on September 6, 2016 to specifically address the GeoRoot audit status and remediation plan. That cover letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs." -- Need to check with Kathleen.
Does If Symantec did indeed notify us of this mean the NTT DoCoMo intermediates were entirely unaudited for situation and we made no comment, that is a period of years?relevant fact.
===Open Questions===
 
* Does this mean the NTT DoCoMo intermediates were entirely unaudited for a period of years?
==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)==
Accountapprovers, antispam, confirm, emeritus
4,925
edits

Navigation menu