Le jeudi 25 avril 2019 21:19:34 UTC+2, Wayne Thayer a écrit : > Since this is a separate, serious issue, I filed a new bug and requested an > incident report: https://bugzilla.mozilla.org/show_bug.cgi?id=1547072 > > I added this to the issues list as Issue G: > https://wiki.mozilla.org/CA/Certinomis_Issues > > I also added a summary of the response received yesterday from Certinomis > to issue F.3: Inadequate Controls on Production Testing > > On Thu, Apr 25, 2019 at 9:30 AM Ryan Sleevi <r...@sleevi.com> wrote: > > > > > On Wed, Apr 17, 2019 at 5:22 PM Wayne Thayer via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> Yesterday, Andrew Ayer filed a bug [1] identifying 14 pre-certificates > >> issued by Certinomis in February 2019 containing an unregistered domain > >> name. Since the cause described in the incident report is similar, I added > >> this under issue F.1. > >> > > > > In the course of investigating this bug [1], it further appears that > > Certinomis has continued to use method 3.2.2.4.5 to validate domains, > > despite it being formally prohibited in the Baseline Requirements 8 months > > ago, in August 2018. > > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1544933#c8 > >Below is to clarify Wayne's summary related to Certinomis (Issue C: Audit > >Issues (2015-2018) Generally speaking, a CAB cannot decide to perform an audit against CAB/forum requirements unless a formal order is made by the TSP. It is not to the CAB to enforce the rules regarding the "no gap rules" between two audits. This is exactly what happened with Certinomis where we performed audits on request. 2015 assessment report is not an “audit attestation" for the browsers but a certificate of conformity that claims conformance to a French regulation called RGS which implied ETSI standards compliance but not CAB/forum audit compliance. LSTI was not informed that Certinomis provided this document as an "audit attestation" nor that Mozilla accepted it. 2016 assessment report is indeed an attestation letter LSTI issued on Certinomis request. It covers a period beginning on 13-May 2015 – to 13 May 2016. LSTI provided an annual audit as Certinomis could have been audited by another CAB before 2015. 2017 assessment report LSTI didn't issue to Certinomis any "audit attestation" for the browsers in 2017. The document Wayne references is a "Conformity Assessment Report" for the eIDAS regulation. 2018 assessment report was due end of October but not received by Mozilla until 23-November. At this period LSTI faced a huge increase of its activity and auditors were a little bit overwhelmed that created the extra delay to provide the report and the "audit attestation".
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy