Changes

Jump to: navigation, search

CA/Symantec Issues

1,731 bytes added, 11:00, 20 April 2017
Add Issue Y
Symantec issued a cert to one of its customers that did not comply with at least one provision of both the CA/Browser Forum Baseline Requirements and Mozilla policy. It was a 1024-bit cert which expired after the end of 2013. Symantec believed this was the only technical way to ensure continuity of service for the customer concerned.
This cert was issued directly from the root. Symantec's [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/x_vrJtv7A0Y write-up] points out that issuance from the root is permitted by [https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_6.pdf BRs version BRs 1.1.6], the version in force at the time, if 5 conditions are met, and they say they were met.
This cert was backdated, but that is not a BR or Mozilla policy violation, as long as it was not done to evade a technical control.
Questioning continues to ascertain how these RAs are prevented from issuing TLS certificates.
 
==Issue Y: Unaudited Unconstrained Intermediates (December 2015 - April 2017)==
 
Two intermediate CAs, which are subordinates of or cross-certified by VeriSign Universal Root Certification Authority, appear not to be covered by any of Symantec's audits as listed in their document repository:
 
* [https://crt.sh/?Identity=%25&iCAID=1384&exclude=expired VeriSign Class 3 SSP Intermediate CA - G2]
* [https://crt.sh/?Identity=%25&iCAID=12352&exclude=expired Symantec Class 3 SSP Intermediate CA - G3]
 
Both intermediates are disclosed in Salesforce, and both have 15 or so also-disclosed sub-CAs which seem to be specific to particular companies. The audit associated with both of them in Salesforce is [https://www.symantec.com/content/en/us/about/media/repository/symantec_nfssp_wtca_5_13_2016.pdf this one] from May 2016, but that audit document does not list the intermediate CAs that it covers. It's from Symantec's 2015 set of audits (i.e. the set before the current one). The most recent audit which covers the VeriSign Universal Root Certification Authority is [https://www.symantec.com/content/en/us/about/media/repository/18_Symantec_STN_WTCA_period_end_11-30-2016.pdf this one], but these certificates are not on the accompanying list of intermediates. There seems to be no 2016 version of the "Symantec Non-Federal Shared Service Provider WTCA" audit in the list for 2016 in the Symantec [https://www.symantec.com/about/legal/repository.jsp?tab=Tab3 document repository].
 
As far as we can tell, these intermediates are unconstrained, unrevoked and fully capable of issuing server authentication certificates which are trusted by Mozilla browsers.
 
===Symantec Response===
 
Symantec has not yet responded to this issue.
Accountapprovers, antispam, confirm, emeritus
4,925
edits

Navigation menu