So after reading this, the following auditors aren't
trusted by Symantec anymore:
- E&Y Korea
- E&Y Brazil
The following isn't trusted by Mozilla anymore:
- E&Y Hong Kong
This seems to be a worrying trend to me.
Kurt
Yes, each of the Big Four isn't really a single company, that'd be too vulnerable to lawsuits when (let's face it, not if) they screw up. Instead they're a network of companies licensed to use the same name.
Mozilla was asked (I do not know if they actually did it) to have one of their London people stroll over to EY's headquarters building in that city and explicitly let them know about the Hong Kong EY's failures so that there's no opportunity to later pretend EY as a network didn't know this was a problem.
The nature of audit work, both for the Web PKI and for business accounting means that "capture" is a big problem, the auditors get paid by the company they're supposed to audit and further work is conditional on giving a good report, so, why look for trouble? Failure is inevitable.
If you're wondering when it became the Big Four, the Big Five had one more member, they audited Enron and signed off accounts which bore no resemblance to reality, then when they realised it was being investigated they destroyed all evidence of what they'd done. The resulting scandal destroyed them, although the US Supreme Court eventually decided that the people who ran the audit firm and gave orders to cover up what it had done were innocent...
Normally browser makers publish openly evidence of mis-issued certificates, together with having the discussion with the vendor in the public.
It's sad that this announcement from Google seems to basically be saying "we had a closed door dispute with Symantec, and now don't trust them".