On Mon, Jun 19, 2017 at 12:14 PM, Kathleen Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > I just filed https://bugzilla.mozilla.org/show_bug.cgi?id=1374381 about an > audit statement that I received for SwissSign. I have copied the bug > description below, because I am concerned that there still may be ETSI > auditors (and CAs?) who do not understand the audit requirements, see below. > > ~~~ > SwissSign provided their annual audit statement: > https://bug1142323.bmoattachments.org/attachment.cgi?id=8853299 > > Problems noted in it: > -- "Agreed-upon procedures engagement" - special words for audits - does not > necessarily encompass the full scope > -- "surveillance certification audits" - does not necessarily mean a full > audit (which the BRs require annually) > -- "point in time audit" -- this means that the auditor's evaluation only > covered that point in time (note a period in time) > -- "only intended for the client" -- Doesn't meet Mozilla's requirement for > public-facing audit statement. > -- "We were not engaged to and did not conduct an examination, the objective > of which would be the expression of an opinion on the Application for > Extended Validation (EV) Certificate. Accordingly, we do not express such an > opinion. Had we performed additional procedures, other matters might have > come to our attention that would have been reported to you." -- some of the > included root certs are enabled for EV treatment, so need an EV audit as well. > > > According to section 8.1 of the CA/Browser Forum's Baseline Requirements: > "Certificates that are capable of being used to issue new certificates MUST > ... be ... fully audited in line with all remaining requirements from this > section. > ... > The period during which the CA issues Certificates SHALL be divided into an > unbroken sequence of audit periods. An audit period MUST NOT exceed one year > in duration." > > So, a full period-in-time audit is required every year. > > After I voiced concern > (https://bugzilla.mozilla.org/show_bug.cgi?id=1142323#c27) the CA provided an > updated audit statement to address the concerns I had raised in the bug: > https://bugzilla.mozilla.org/attachment.cgi?id=8867948 > I do not understand how the audit statement can magically change from > point-in-time to a period-in-time. > ~~~ > > I will greatly appreciate thoughtful and constructive input into this > discussion about what to do about this SwissSign audit situation, and if this > is an indicator that ETSI auditors are still not performing full annual > audits that satisfy the CA/Browser Forum's Baseline Requirements.
Kathleen, It seems there is some confusion. The document presented would appear to be a Verified Accountant Letter (as defined in the EV Guidelines) and can used as part of the process to validate a request for an EV certificate. It is not an audit report and is not something normally submitted to browsers. I suspect someone simply attached the wrong document to an email or uploaded the wrong document. This makes no sense to be part of an audit report. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
