[cabfpub] EV Code Signing Self-Audit

[Steve Medin]

During a recent self-audit of EV Code Signing requirements, Symantec determined that four enterprise RA accounts were enabled to enroll for EV code signing certificates without first providing "a suitable IT audit." EVCS Guidelines section 16(4), option c requires the Subscriber to provide such an IT audit, "indicating that its operating environment achieves a level of security at least equivalent to that of FIPS 140-2 level 2."

In almost all cases, Symantec complies with section 16(4) by shipping a suitable hardware crypto module and interacting with this module directly during the certificate request process. Option c in 16(4) that relies on a suitable IT audit is used in cases where customers desire to use an existing compliant token and generate their certificate signing request on systems that are not Internet connected.

Our self-audit found 11 certificates historically issued across four accounts where the suitable IT audit was not present.

As a result, we changed software configuration settings to disallow CSR-based enrollment for all accounts that did not have IT audits on file. Before re-enabling this feature, we received IT audits from each customer. Three customers provided suitable documents. One customer with one certificate revoked their certificate after receiving a hardware crypto module from Symantec compliant with 16(4).

Root cause was determined to be improper training about the procedure to use before enabling CSR based enrollment when we do not ship the token. Remedial guidance was provided.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170824/4e0b262f/attachment-0002.html>