On Sun, Aug 26, 2018 at 11:25 PM reinhard.dietrich--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Dear all > > This is a joint answer to Waynes' request. > > it was mentioned that the audit period was exceeded. We would like to > explain the situation and what was undertaken to avoid such situation again. > > We all are aware that the audit period was exceeded by two months. However > the conducted audit from April 2018 also covers the 2 months extension. As > you already mentioned, the reason is that SwissSign decided to change the > auditors after 12 years for quality assurance reason. Additionally, it is a > best practice within the IT security world or the financial sector to > change the external auditors on a regular base. > During the process, SwissSign defined some criteria in order to choose the > new auditors these are: > > The auditors shall: > - possess a knowledge and experience since years performing PKI audits as > a full time job. > > - have experience in auditing different international CA which are also > included in the Root Stores. > > - take their time to understand in detail the processes, infrastructure, > implementations, etc. of SwissSign. > - support SwissSign being conform over time between the annual audits, > e.g. by pre-assessments of new solutions/processes/applications before > these are going in live production. > - be well known in the community. > - be active in international and national working groups in order to keep > their knowledge about requirements up-to-date. > - are /going to be accredited to perform audit according the relevant > standards. > - Fullfills requirement according to BR 8.2 and BR 8.3 > > > The whole process took its time because of the complexity of such a > change. At the end, SwissSign decided to work together with the qualified > auditors from TÜV Austria which will perform all audits for all PKI in the > future. The upcoming audit for the Silver and Platinum PKI was performed as > soon as the contract was agreed and signed. > We would also like to point out that both PKI are maintained under exact > the same physical, technical, organizational and logical conditions and > measures as the Gold PKI which is was audited in October 2017. > Additionally, the Platinum PKI is also audited according the Swiss Law on > an annual base. > > In order to avoid such exceeding, the contract with the auditors was > signed for the next several years, in order to ensure that the audits are > planned and performed in time as required by the CA/B Forum and the Browser > Root CA Policies. It is already planned that in September 2018 a new full > audit for all PKI (Silver, Platinum and Gold G2 and G3) will be performed. > After the audit for all three PKI, completely new audit attestations will > be issued covering the period until the last audit day. This will be the > start point for a full annual audit for all PKI together so that there is > not any timely separation between them. Additionally, the audits for the > next years are already planned, so that an exceeding of the audit period > will be prevented. > > I'm glad to hear that planning is being done to prevent future audit problems. Reinhard, what will be the period covered by the September 2018 audits? It occurs to me that Mozilla could accept the recently submitted audit statements that cover 14 months by ignoring the extra two months. The next audit period would need to end no later than March 8, 2019. Does anyone have concerns with this? Reinhard, what is SwissSign planning to do regarding the point-in-time audit for the Silver G3 root? > > We hope that this sheds some lights on the situation. > > Thanks and kindest regards > > Reinhard Dietrich > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
