On 2018-08-21 21:03, Kathleen Wilson wrote:
Mozilla: Overdue Audit Statements
Root Certificates:
SwissSign Platinum CA - G2**
** Audit Case in the Common CA Database is under review for this root
certificate.
Standard Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8861552
Audit Statement Date: 2017-03-30
BR Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8861552
BR Audit Statement Date: 2017-03-30
CA Comments: null
Is this not properly marked in the database?
I found https://bugzilla.mozilla.org/show_bug.cgi?id=1374381, which
seems to be related to it, and was closed.
The linked audits there:
- For one claiming the period covering 2015: The statement does not
state which period was covered.
- For one claiming the period covering 2016: The statement does not
state which period was covered. A previous report from the auditor for
that period stated that it was a point in time audit.
The changed report removed this sentence: "KPMG has performed a point in
time audit. The reference date is 8 March 2017." and replaced
"We were not engaged to and did not conduct an examination, the object
of which would be the expression of an opinion on the Application for
Extended Validation (EV) Certificate. Accordingly, we do not express
such an opinion. Had we performed additional procedures, other matters
might have come to our attention that would have been reported to you"
with:
"KPMG has assessed the architecture, operation and procedures on a
sample approach although we have not assessed every configuration
setting on technical devices."
- The report from a new auditor covered the period: March, 9th 2017
until June, 6th 2018, which is longer than 1 year.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy