Hi Steve, Two more question to add to the list which is already pending:
In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter, specifically in [3], questions 3 - 6, and while Symantec noted that it would case to accept future EY Brazil audits, I have confirmed with CPA Canada that at during the 2016 and 2017 periods, EY Brazil was not a licensed WebTrust practitioner, as indicated at [4]. Given that EY Brazil was not a licensed WebTrust auditor, it appears that Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1 [5], namely, that "(For audits conducted in accordance with the WebTrust standard) licensed by WebTrust", which is a requirement clearly articulated in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, ..." 1) Was Symantec's compliance team involved in the review of Certisign's audit? 2) Does Symantec agree with the conclusion that, on the basis of this evidence, Symantec failed to uphold the Baseline Requirements, independent of any action by a Delegated Third Party? [1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 [2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929 [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487 [4] http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx [5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
