I just filed https://bugzilla.mozilla.org/show_bug.cgi?id=1374381 about an audit statement that I received for SwissSign. I have copied the bug description below, because I am concerned that there still may be ETSI auditors (and CAs?) who do not understand the audit requirements, see below.
~~~ SwissSign provided their annual audit statement: https://bug1142323.bmoattachments.org/attachment.cgi?id=8853299 Problems noted in it: -- "Agreed-upon procedures engagement" - special words for audits - does not necessarily encompass the full scope -- "surveillance certification audits" - does not necessarily mean a full audit (which the BRs require annually) -- "point in time audit" -- this means that the auditor's evaluation only covered that point in time (note a period in time) -- "only intended for the client" -- Doesn't meet Mozilla's requirement for public-facing audit statement. -- "We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation (EV) Certificate. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you." -- some of the included root certs are enabled for EV treatment, so need an EV audit as well. According to section 8.1 of the CA/Browser Forum's Baseline Requirements: "Certificates that are capable of being used to issue new certificates MUST ... be ... fully audited in line with all remaining requirements from this section. ... The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods. An audit period MUST NOT exceed one year in duration." So, a full period-in-time audit is required every year. After I voiced concern (https://bugzilla.mozilla.org/show_bug.cgi?id=1142323#c27) the CA provided an updated audit statement to address the concerns I had raised in the bug: https://bugzilla.mozilla.org/attachment.cgi?id=8867948 I do not understand how the audit statement can magically change from point-in-time to a period-in-time. ~~~ I will greatly appreciate thoughtful and constructive input into this discussion about what to do about this SwissSign audit situation, and if this is an indicator that ETSI auditors are still not performing full annual audits that satisfy the CA/Browser Forum's Baseline Requirements. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy