Hello Ramiro, On Tue, Sep 4, 2018 at 3:13 PM Wayne Thayer <wtha...@mozilla.com> wrote:
> Thank you for this response Ramiro. I have copied this to the bug [1] and > have described Mozilla's expectations for point-in-time audits that confirm > that these issues have been resolved. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 > > On Tue, Sep 4, 2018 at 5:47 AM ramirommunoz--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >> 7- List of steps your CA is taking to resolve the situation and ensure >> such issuance will not be repeated in the future, accompanied with a >> timeline of when your CA expects to accomplish these things. >> >> AC Camerfirma has made changes in the CP/CPS to fix the inconsistences >> found by the auditor and will disseminate the documents and the new >> procedures to avoid news problems in a future. >> AC Camerfirma is working on correcting the imbalances detected and the >> effective processes to ensure that the information offered by the OCSP and >> the CRL is the same. >> 2018-07-14 -> Qualified Audit Report >> 2018-09-17 -> CPS & CP's new versions will be disclosed >> New procedures and CPS/CP versions will be distributed among all affected >> people in other to avoid new differences between CP/CPS >> New procedures for self-assessment include full revision of OV >> certificates. >> Best control over changes in the BR version and modifications in AC >> Camerfirma CP/CPS. >> 2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization >> with the PKI DDBB. >> 2018-09-24 -> fixed all inconsistences found. We've reviewed the complete >> databases and checked the correct OCSP/PKI/CRL alignment, correcting the >> problems found. >> 2018-10-01 -> Technical control to avoid inconsistences. We've improving >> the execution of the triggers and develop the controls that confirm their >> correct operation. >> 018-10-01 -> timely reports (weekly to monthly basic) to assure technical >> controls are working and no new inconsistences are produced. >> >> Will you please provide an update on the remediation steps described above, and timing for the point-in-time audit that will confirm that these problems have been fixed? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy