Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Change name of Issue T
At the moment, there is no compelling evidence that Symantec's account of events is incorrect. If their account of events is correct then I don't see a problem here. For better or worse, the sending of emails with somewhat privileged access URLs in them is common practice in this and other industries.
==Issue T: RA Program CrossCert Misissuances (January 2010 - January 2017)==
For several years, Symantec operated an RA (Registration Authority) program. The companies in this program had independent authority to issue certificates under Symantec intermediates, and those certificates were not specifically marked to say that a particular RA had issued them instead of Symantec directly. This by itself is not against any existing policy.
Their case is that WebTrust audit monitoring should have been sufficient, but that they were let down by their auditor, who failed to notice some of the problems, or in other cases it just so happened that the issues were either a long time ago or too recent to be caught by audit. This case is undermined by Issue W - CrossCert and many of the other RA partners had significantly deficient audits and/or audits with serious qualifications.
I conclude that the reason that the situation at CrossCert was not replicated elsewhere was a matter of luck, and that Symantec's monitoring regime for its RA partners - who had full powers of issuance in the WebPKI - was not sufficiently robust.
==Issue V: GeoRoot Program Audit Issues (2013 or earlier - January 2017)==
