Changes

Jump to: navigation, search

CA/Symantec Issues

299 bytes added, 14:01, 25 April 2017
Update Issue V to include feedback from Kathleen
===Symantec Response===
* Symantec state: "Intel's subordinate CA, which expired in 2016, was not subject to audits either contractually or by previous agreements with both Mozilla and Microsoft given its limited use." -- Need This is true; the CA is mothballed and got out of storage only once a quarter to check with Kathleenissue a CRL.* Symantec state: "Symantec provided the letter quoted below to Google, agreed privately with Mozilla, Microsoft, and Apple when we shared the Point that audits were not necessary for a CA in Time Audits on September 6, 2016 to specifically address the GeoRoot audit status and remediation plan. That cover letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs." -- Need to check with Kathleensuch a state.
If * Symantec did indeed notify us of this situation state: "Symantec provided the letter quoted below to Google, Mozilla, Microsoft, and Apple when we made no commentshared the Point in Time Audits on September 6, that 2016 to specifically address the GeoRoot audit status and remediation plan. That cover letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs." This is a relevant facttrue, although Aetna and UniCredit are not mentioned by name in the letter.
Symantec have also [https://bug1334377.bmoattachments.org/attachment.cgi?id=8860216 stated] that, as of April 21st, 2017, the "Intel, Aetna, and Unicredit CAs have all expired or been revoked." This leaves Google and Apple as the only participants in the GeoRoot program. They also say that: "We agree that getting audits for Aetna and Unicredit took too long. After many discussions, requests, and delays, they finally produced the reports that they did. This experience informed our decision to transition them to alternative solutions."
===Further Comments and Conclusion===
 
I am following up on the open questions above with Kathleen.
It seems that the NTT DoCoMo infrastructure did fall through the cracks audit-wise until 2015-2016.
Given the power which those organizations held, Symantec did not pursue Aetna and UniCredit for proper audits and appropriate compliance with sufficient alacrity (on UniCredit, see Issue P). However, to a degree, Symantec did keep Mozilla somewhat informed of what was going on, and Mozilla made no comment. It is our understanding that at least one other root program was applying more pressure to remediate this situation than Mozilla was.
==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)==
Gerv
Accountapprovers, antispam, confirm, emeritus
4,925
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1169320"

Navigation menu