Changes

Jump to: navigation, search

CA/Symantec Issues

187 bytes added, 13:38, 27 April 2017
Update list of problems and dates
* Test certs to registered domains: Discovered and fixed in Sep 2015, but "while inappropriate use of registered domains for testing stopped during the course of our 2014-2015 audits, we did not complete the ID and revocation of all certificates until Mar 2016, and so the finding remained in our first-half Dec 1, 2015-Jun 15, 2016 audits."
* Test certs to un-registered domains: Discovered and fixed in October 2015, but there was a "discovery of additional instance involving approved domains in a test account resulting in 6 additional issued certificates in Approximately Mar 2016." (Mozilla isn't aware that Symantec has previously made disclosure of this mis-issuance.)
* Unauthorized employees with access to certificate issuance capability: discovered in September 2015, last problem of this type remediated in June 2016 after extensive security review.
* Failure to maintain physical security records for 7 years: discovered and fixed in January 2016.
* Failure to review application and system logs: discovered and fixed in January 2016.
* The failure to refresh background checks every 5 years: discovered in February 2016, fixed in June 2016 (required an internal reorganization).
In regard to the lack of qualifications related to GeoRoot and the RA program, Symantec said: "We acknowledge there were deficiencies in audits for both the GeoRoot and RA programs. The plan for the GeoRoot deficiencies was communicated in the cover letter accompanying our Point in Time audit (see issue V) and for the RA program, in the cover letter to browsers with our 2015-2016 audits."
===Additional Comments and Conclusion===
Accountapprovers, antispam, confirm, emeritus
4,925
edits

Navigation menu