On Monday, June 19, 2017 at 12:21:46 PM UTC-7, Peter Bowen wrote: > It seems there is some confusion. The document presented would appear > to be a Verified Accountant Letter (as defined in the EV Guidelines) > and can used as part of the process to validate a request for an EV > certificate. It is not an audit report and is not something normally > submitted to browsers.
Yet, it is the document that was provided to root store operators as the annual audit statement. And there has been plenty of time in Bug #1142323 for that to have been rectified. As reference, here is the audit statement that was provided in 2016: https://bug343756.bmoattachments.org/attachment.cgi?id=8781268 It says: "KPMG has executed a main certification audit in year 2013, and surveillance certification audits in 2014 and 2015..." "We were engaged to conduct the annual examinations, with the objective of which would be the expression of an opinion on the application for Extended Validation (EV) Certificates. Accordingly we do express our positive opinion and provide you confirmation that the requirements were fulfilled during the annual certification audits... " In the audit statement in question (https://bug1142323.bmoattachments.org/attachment.cgi?id=8853299) it says: "KPMG has executed a main certification audit in year 2017..." So I took that to mean that this was intended to be their annual audit statement, and the format is very similar to the audit statement from the previous year. But as I read through it I noticed phrases like "point in time audit". And then it said: "We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation (EV) Certificate. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you." This is very different from the statement the previous year. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy