RomanenkoAlexey - Fotolia

Symantec CA report offers more clarity on certificate transparency catch

One week after certificate transparency revealed a Symantec CA improperly issued over 100 digital certificates, Symantec offers more details on the incident.

One week after the revelation that a Symantec CA improperly issued more than 100 digital certificates, Symantec offered a report with more details on the certificates and its investigation into the incident.

The report, posted to the Mozilla dev-security-policy list, gives more details of what turned out to be 127 improperly issued certificates -- all of which, Symantec said, were issued by CrossCert, Korea Electronic Certification Authority.

According to a statement Symantec provided to SearchSecurity, "CrossCert, a WebTrust audited Registration Authority partner in Korea, overrode compliance failure flags and issued certificates in violation of Symantec policy and CA/B Forum Baseline Requirements. After becoming aware of this issue, Symantec immediately disabled all issuance privileges for CrossCert and revoked any valid and active certificates. Symantec has taken over validation and issuance for all pending and new orders submitted through CrossCert. Additionally, Symantec is reviewing all its RA partners to ensure they are in compliance with our controls and procedures. Our investigation remains on-going."

CrossCert, Symantec's Registration Authority partner in Korea, is audited under the WebTrust auditing program for certificate authorities. The program "was developed to increase consumer confidence in the internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of [public key intrastructure] technology," according to the WebTrust website.

Symantec's update detailed additional follow-up activity it has taken, including engagement with CrossCert to request documentation related to the improperly issued certificates. Symantec stated it spoke with Ernst & Young, Korea, the auditors that conducted the most recently published "unqualified" WebTrust audit.

The consequences of the latest incident for Symantec remain to be seen, especially since it is the second time in less than two years that improperly issued certificates were discovered through the certificate transparency program. In September 2016, the Symantec CA improperly issued Extended Validation certificates for domains they did not own -- including two domains owned by Google.

Google's response was to require the Symantec CA to support certificate transparency for all the certificates it issues -- not just extended validation certificates -- starting June 1, 2016; Google also mandated a set of third-party audits of all Symantec CA operations.

In 2016, Chinese certificate authority WoSign was dropped by Mozilla as a trusted certificate authority after it was discovered to have improperly issued backdated SHA-1 certificates and violated other guidelines for CA operations. Ernst & Young (Hong Kong) was also sanctioned by Mozilla after WoSign was found to be engaged in "unacceptable" behavior.

Next Steps

Find out more about whether enterprises should use Let's Encrypt certificates

Learn about why IT pros don't always know the risks related to certificate authorities

Read about how certificate pinning can improve certificate authority security

Dig Deeper on Identity and access management