Comodo responded to my question about disclosure of incidents to their auditor with the following statement [1]:
It turns out that we did not disclose these to EY. That was down to Comodo CA not offering the evidence of these events during the audit evidence gathering phase. It was not our intention to mislead and we regret this short-coming on our part. We have amended our own internal audit process to make sure these are gathered up as part of the evidence pack to go to the auditors in future audit cycles. I think we should make it a Mozilla program requirement that CAs disclose incidents and misissuance to their auditors [2]. - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993#c15 [2] https://github.com/mozilla/pkipolicy/issues/154 On Wed, Aug 15, 2018 at 12:09 PM Wayne Thayer <wtha...@mozilla.com> wrote: > I went ahead and noted these DigiCert audits as a concern on the CCADB > record for Scott S. Perry CPA, PLLC. > > I do think it's important for CAs to disclose these issues to their > auditors, but I also expect auditors to discover them. > > - Wayne > > On Wed, Aug 15, 2018 at 8:21 AM Ben Wilson <ben.wil...@digicert.com> > wrote: > >> Re-sending >> >> -----Original Message----- >> From: Ben Wilson >> Sent: Wednesday, August 15, 2018 8:34 AM >> To: 'r...@sleevi.com' <r...@sleevi.com>; Wayne Thayer < >> wtha...@mozilla.com> >> Cc: mozilla-dev-security-policy < >> mozilla-dev-security-pol...@lists.mozilla.org> >> Subject: RE: Misissuance and BR Audit Statements >> >> Thanks, Ryan and Wayne, >> >> Going forward we'll work to improve our management letter disclosures to >> include reported mis-issuances during the audit period. >> >> Sincerely yours, >> >> Ben >> >> -----Original Message----- >> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> >> On Behalf Of Ryan Sleevi via dev-security-policy >> Sent: Monday, August 13, 2018 3:57 PM >> To: Wayne Thayer <wtha...@mozilla.com> >> Cc: mozilla-dev-security-policy < >> mozilla-dev-security-pol...@lists.mozilla.org> >> Subject: Re: Misissuance and BR Audit Statements >> >> Wayne, >> >> Thanks for raising this. I definitely find it surprising to see nothing >> noted on Comodo's report, as you call out. >> >> As another datapoint, consider this recent audit that is reported to be >> from DigiCert, by way of Amazon Trust Services' providing the audits for >> their externally operated sub-CAs in [A]. The scope of the WebTrust BR >> audit report in [B] contains in its scope "DigiCert ECC Extended Validation >> Server CA" of hash >> FDC8986CFAC4F35F1ACD517E0F61B879882AE076E2BA80B77BD3F0FE5CEF8862, >> which [C]. During that time, this CA issued a cert [D] as part of their >> improperly configured Onion issuance in [E], which was remediated in early >> March, within the audit period for [B]. I couldn't find it listed in the >> report. >> >> Looking over that period, there were two other (resolved) DigiCert >> issues, [F] and [G], which affect the CAs listed in scope of [B]. >> >> I was a bit surprised by this, as like you, I would have expected these >> to be called out by both Management's Assertion and the auditor. >> http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf >> provides some of the illustrative reports, but it appears to only provide >> templates for management on the result of obtaining a qualified report. >> >> [A] https://bugzilla.mozilla.org/show_bug.cgi?id=1482930 >> [B] https://bug1482930.bmoattachments.org/attachment.cgi?id=8999669 >> [C] https://crt.sh/?id=23432431 >> [D] https://crt.sh/?id=351449246 >> [E] https://bugzilla.mozilla.org/show_bug.cgi?id=1447192 >> [F] https://bugzilla.mozilla.org/show_bug.cgi?id=1465600 >> [G] https://bugzilla.mozilla.org/show_bug.cgi?id=1398269#c29 >> >> On Tue, Aug 7, 2018 at 1:32 PM, Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> > Given the number of incidents documented over the past year [1][2] for >> > misissuance and other nonconformities, I would expect many of the 2018 >> > period-of-time WebTrust audit statements being submitted by CAs to >> > include qualifications describing these matters. In some cases, that >> > is exactly what we’re seeing. One of many positive examples is >> > Deloitte’s report on Entrust [3] that includes 2 of the 3 issues >> documented in Bugzilla. >> > >> > Unfortunately, we are also beginning to see some reports that don’t >> > meet my expectations. I was surprised by GlobalSign’s clean reports >> > [4] from Ernst & Young, but after examining their incident bugs, it >> > appears that the only documented misissuance that occurred during >> > their audit period was placing metadata in Subject fields. I can >> > understand how this could be regarded as a minor nonconformity rather >> > than a qualification, but I would have liked to at least see the issue >> noted in the reports. >> > >> > Ernst & Young’s clean reports on Comodo CA [5] is the example that >> > prompted this message. We have documented the following issues that >> > occurred during Comodo’s last audit period: >> > * Misissuance using "CNAME CSR Hash 2" method of domain control >> > validation (bug 1461391) >> > * Assorted misissuances and failure to respond to an incident report >> > within >> > 24 hours (bug 1390981) >> > * CAA misissuance (bugs 1398545,1410834, 1420858, and 1423624 ) >> > >> > I would like to know if Comodo reported these issues to EY. I asked >> > Comodo this question four weeks ago [6] but have not received a >> response. >> > >> > I will acknowledge that ETSI audits are an even bigger problem >> > (Actalis and SwissSign are recent examples [7][8][9]). Due to the >> > structure of those audits, there is no provision for issuing a >> > qualified report. WebTrust audits are theoretically much better in >> > this regard, but only if auditors actually find and report on issues! >> > I don’t think it is productive to expect auditors to search Bugzilla >> > for a list of issues to copy into their reports, but I do think it is >> > reasonable to question the competence and trustworthiness of the >> > auditor when so many known issues are absent from their report. >> > >> > In this particular example, unless additional facts are presented, I >> > plan to notate the auditor’s record in CCADB with this issue. We have >> > documented a number of other issues with Ernst & Young - including the >> > disqualification of their Hong Kong branch - but this is the first >> > issue I’m aware of from their New York office. We also recently >> > received a very “good” qualified audit report from EY’s Denmark office >> on Telia [10]. >> > >> > - Wayne >> > >> > [1] https://wiki.mozilla.org/CA/Incident_Dashboard >> > [2] https://wiki.mozilla.org/CA/Closed_Incidents >> > [3] >> > https://www.entrustdatacard.com/-/media/documentation/ >> > licensingandagreements/entrust_baselinerequirements_2018.pdf?la=en&has >> > h= >> > BC08BAF5AE81B2EE66A2146EE7710FB2F4F33BA6 >> > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1388488 >> > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993 >> > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993#c5 >> > [7] https://www.actalis.it/documenti-en/actalisca_audit_ >> > statement_2018.aspx >> > [8] >> > https://it-tuv.com/wp-content/uploads/2018/07/AA2018070301_ >> > Audit_Attestation_TA_CERT__SwissSign_Platinum_G2_signed.pdf >> > [9] >> > https://it-tuv.com/wp-content/uploads/2018/07/AA2018070303_ >> > Audit_Attestation_TA_CERT__SwissSign_Silver_G2_signed.pdf >> > [10] https://bugzilla.mozilla.org/show_bug.cgi?id=1475115 >> > _______________________________________________ >> > dev-security-policy mailing list >> > dev-security-policy@lists.mozilla.org >> > https://lists.mozilla.org/listinfo/dev-security-policy >> > >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
