2020. március 9., hétfő 19:48:56 UTC+1 időpontban Kathleen Wilson a következőt írta: > This request is for inclusion of the Microsec e-Szigno Root CA 2017 > trust anchor and to EV-enable the currently included Microsec e-Szigno > Root CA 2009 trust anchor as documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1445364 > >
Thank you for opening the 3-week comment period for our inclusion request. At first let us give some background information regarding the findings of the auditor. Microsec is a qualified trust service provider in Hungary and operates under strong control and supervision. The yearly regular conformity assessment audit is made by the German TÜViT, which is one of the most stringent and thorough auditor in Europe. Based on that very deep and careful audit TÜViT issues the audit reports and the attestation letters which contain all of the findings. The findings are classified according to their weight. If the auditor finds any major non-conformity, the audit report is not issued at all. In case of minor non-conformity, the audit report is issued, and the CA may continue its services, but the CA shall report the action made to solve the findings within 3 months. In case of recommendation the weight of the problem is low, and the CA shall solve the issue till the next audit (1 year). TÜViT includes both the minor non-conformities and the recommendations in the attestation letter and the classification of the finding is not indicated in the report. There was no major issue during the Microsec audit, so TÜViT issued the certificates and the attestation letters to Microsec. Most of the findings were classified as recommendation. Microsec has applied remediations to all findings in a timely fashion and all the remediations have been accepted by TÜViT. The other reason while Microsec may have longer finding list than usual is, that Microsec offers several types of services and issues several types of certificates for different purposes (webserver authentication, electronic signature, electronic seal, encryption, authentication etc.) on different trust levels (EU qualified and not qualified). All of the certificates are issued under the same root and there are no EKU to constrain most of the subordinate CAs from the BR audit, this way all the certificate types and CA-s shall be covered by the audit, including certificates which are not in the scope of the BR. The higher number of certificate types and services may result more findings during the audit which can be unusual in a CA who offers only one service. The relatively high number of findings doesn't mean that Microsec is a bad CA, but means that TÜViT is a very thorough auditor. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy