Camerfirma has delivered point-in-time audits as required by Mozilla in response to the annual audit statements we received in July containing multiple qualifications. The new audit statements along with the history of this issue can be found at https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
In my opinion, Camerfirma has completed their remediation of this issue. Please comment here or in the bug if you have any concerns. - Wayne On Thu, Sep 27, 2018 at 12:42 AM Ramiro Muñoz <rami...@camerfirma.com> wrote: > Hi Wayne > > All problems have already been resolved from our side and we wait for the > PIT audit planned for the next week. > We will be able to provide the PIT before October 31th. > > Best regards > Ramiro Muñoz Muñoz > AC Camerfirma SA. > CTO, Exploitation Manager, CISA. > +34 619 746 291 · rami...@camerfirma.com. > https://www.linkedin.com/in/ramirom. > ________________________________________ > Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede > contener > información CONFIDENCIAL, siendo para uso exclusivo del destinatario, > quedando prohibida su divulgación copia o distribución a terceros. Si Vd. > ha > recibido este mensaje erróneamente, se ruega lo notifique al remitente y > proceda a su borrado. > De conformidad con lo establecido en el Reglamento UE 2016/679 de 27 de > abril de 2016 General de Protección de Datos, se le informa que la empresa > AC CAMERFIRMA, S.A. tratará la información que nos facilita con el > exclusivo > fin de cumplir con las obligaciones derivadas de la relación comercial o > contractual adquirida con usted y que sus datos no podrán ser objeto de > otro > tratamiento ni de cesión a terceros salvo en los casos en que exista una > obligación legal. > Usted tiene derecho a obtener confirmación acerca del tratamiento de sus > datos personales, y a ejercer sus derechos de acceso, rectificación, > supresión, limitación y portabilidad en el tratamiento, dirigiéndose a AC > CAMERFIRMA, S.A., mediante comunicación escrita remitida a la dirección C/ > Ribera del Loira 12 (28042) Madrid, o a la dirección electrónica > jurid...@camerfirma.com o a través de la web de incidencias disponible en > la > página web http://webcrm.camerfirma.com/incidencias/incidencias.php > > [EN] > This message, and if applicable, any file attached to it, may contain > CONFIDENTIAL information for the exclusive use of the recipient, being > prohibited its disclosure copy or distribution to third parties. If you > have > received this message incorrectly, please notify the sender and proceed > with > its deletion. > In accordance with the provisions of the EU Regulation 2016/679 of April > 27, > 2016 General Data Protection, you are informed that the company AC > CAMERFIRMA, S.A. will treat the information you provide us with the sole > purpose of complying with the obligations derived from the commercial or > contractual relationship acquired with you and that your data will not be > subject to another treatment or assignment to third parties except in cases > where there is an legal obligation. > You have the right to obtain confirmation about your personal data > treatement, and to exercise your rights of access, rectification, deletion, > limitation and portability, contacting AC CAMERFIRMA, SA, by written > communication sent to the address C / Ribera del Loira 12 (28042) Madrid, > or > to the legal address jurid...@camerfirma.com or through the website > http://webcrm.camerfirma.com/incidencias/incidencias.php > > > -----Mensaje original----- > De: dev-security-policy > [mailto:dev-security-policy-boun...@lists.mozilla.org] En nombre de Wayne > Thayer via dev-security-policy > Enviado el: jueves, 27 de septiembre de 2018 0:38 > Para: Ramiro Muñoz Muñoz <ramirommu...@gmail.com> > CC: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Asunto: Re: AC Camerfirma's CP & CPS disclosure > > Hello Ramiro, > > On Tue, Sep 4, 2018 at 3:13 PM Wayne Thayer <wtha...@mozilla.com> wrote: > > > Thank you for this response Ramiro. I have copied this to the bug [1] > > and have described Mozilla's expectations for point-in-time audits > > that confirm that these issues have been resolved. > > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 > > > > On Tue, Sep 4, 2018 at 5:47 AM ramirommunoz--- via dev-security-policy > > < dev-security-policy@lists.mozilla.org> wrote: > > > >> > >> 7- List of steps your CA is taking to resolve the situation and > >> ensure such issuance will not be repeated in the future, accompanied > >> with a timeline of when your CA expects to accomplish these things. > >> > >> AC Camerfirma has made changes in the CP/CPS to fix the > >> inconsistences found by the auditor and will disseminate the > >> documents and the new procedures to avoid news problems in a future. > >> AC Camerfirma is working on correcting the imbalances detected and > >> the effective processes to ensure that the information offered by the > >> OCSP and the CRL is the same. > >> 2018-07-14 -> Qualified Audit Report > >> 2018-09-17 -> CPS & CP's new versions will be disclosed New > >> procedures and CPS/CP versions will be distributed among all affected > >> people in other to avoid new differences between CP/CPS New > >> procedures for self-assessment include full revision of OV > >> certificates. > >> Best control over changes in the BR version and modifications in AC > >> Camerfirma CP/CPS. > >> 2018-09-17 -> Finish a full review of the OCSP DDBB and > >> synchronization with the PKI DDBB. > >> 2018-09-24 -> fixed all inconsistences found. We've reviewed the > >> complete databases and checked the correct OCSP/PKI/CRL alignment, > >> correcting the problems found. > >> 2018-10-01 -> Technical control to avoid inconsistences. We've > >> improving the execution of the triggers and develop the controls that > >> confirm their correct operation. > >> 018-10-01 -> timely reports (weekly to monthly basic) to assure > >> technical controls are working and no new inconsistences are produced. > >> > >> Will you please provide an update on the remediation steps described > above, and timing for the point-in-time audit that will confirm that these > problems have been fixed? > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
