On Mon, Oct 30, 2017 at 5:50 PM, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> To give us a concrete example, here's a Bugzilla Bug that I filed this > morning: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1412950 > > The CA's 2015-2016 audit was WebTrust. > > Their current audit statement is ETSI. > > When I filed the bug I thought there was a gap in auditing from March 10 > 2016 to January 29 2017. > > However, based on Ryan's explanation above, my understanding now is that > the ETSI audit is a point-in-time audit, so the CA's activities from March > 10 2016 until now have not been audited, with the exception of one month > (January 30 to March 1 2017). > > Correct? The auditor granted a certificate on 2017-06-21, after having made a determination to do so at some point earlier, based on their engagement of Phase 1 and Phase 2, which was conducted between January 30 and March 1, 2017. There is no requirement that I can find - within 319 411-1, 319 411-2, 319 403, or 319 401, that would require the CAB to evaluate or consider evidence from March 10 2016. In particular, 319 403 (7.4.5.2) states "The objective of the audit is to confirm and certify that the TSP and the trust services it provides complies with the applicable assessment criteria." Thus, on the basis of the public information provided, I do not believe we have a sufficient level of assurance that the CA's activities between March 10 2016 until January 29 2017 were consistent. Further, given the opportunity for corrective actions without qualification, I do not believe we have a sufficient level of assurance that the CA's activities between January 30, 2017 and March 1, 2017 were consistent. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy