Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
→Issue W: RA Program Audit Issues (2013 or earlier - January 2017)
==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)==
[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930 Certsuperior's audit] is particularly dreadful:
* non-trusted staff had access to issuance.
[https://cert.webtrust.org/SealFile?seal=2168&file=pdf CrossCert's audit] does not list or cover the full number of Symantec roots under which they had issuance capability. Symantec's investigation did not notice this mismatch until their recent investigations, when they discovered that CrossCert had the scope of the audit reduced for cost reasons.
[https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 Certisign's audit] and [https://cert.webtrust.org/SealFile?seal=2067&file=pdf Certisur's audit] are only WebTrust for CAs audits - neither CA appears to have a Baseline Requirements audit. The WebTrust audit criteria require that such a CA has a BR audit. In addition, Mozilla policy requires "CA operations and issuance of certificates to be used for SSL-enabled servers" to conform to the Baseline Requirements. As Symantec has stated that audit was their only mechanism for monitoring their RAs, they can have had no assurance that RAs without a BR audit were actually following the BRs.
===Symantec Response===
Symantec required the issues at CertSuperior to be fixed and a 90-day action plan was executed to fix them. However, until they decided to shut down the RA program, no certificates issued during the period of suspect operations were checked to see if the poor practice had caused misissuance. They have requested that their next audit include both WebTrust for CAs and WebTrust Baseline.
Symantec appears to have taken no action to deal with did not notice that fact that Certisign CrossCert's audits did not cover all the relevant roots until they did the RA investigation in early 2017. ===Further Comments and Certisur Conclusion=== Despite the clear warning signs shown on the Certsuperior audit, Symantec did not have BR auditsput in place any monitoring of their RAs, other than audit, to check that they were correctly performing the tasks delegated to them under the BRs. (There were some - overridable - technical checks on certificate issuance. )
Symantec did not notice that CrossCert's audits did compliance department [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/Ga1bfOiJr70 appears not cover all the relevant roots to have noticed] many or any of these audit scope problems until they did the RA investigation in early 20172016. It is currently unclear how long these CAs were missing BR audits.
==Issue X: Incomplete RA Program Remediation (February - March 2017)==
