Dear Mozilla Community, This is an unofficial statement from the Auditor (DNBCONS) in order to clarify certain points discussed on this thread:
1)Is important to read promptly the *Scope* of our Audits, as you can see "ANF Server CA" hierarchy is not in the scope of none of the Audit Reports regarding this request/thread. Thus we cannot give an Audit opinion regarding to "ANF Server CA" and the stated concerns showed in this request/thread. 2)Additionally the WT EV Audit was "Point of Time". We reviewed the unique sample EV certificate issued in the Audit Dates and in our Auditor's opinion it was compliant and obviously it included the serialNumber as required by section 9.2.6 and it was issued to a legal entity (in Spain a physical person can act as a legal entity - Freelance Worker/" Empresario Autónomo") . However, the sample EV certificate included in this request/thread was not audited by us in the Audit Dates and it is different from the audited one. We would like to remark that the Audit was conducted in accordance with standards for assurance engagements of WebTrust and we don't observe any mistake in our audit procedures in this particular engagement, we should remember that the projection of any conclusions based in our findings (in a Point of Time Audit), to future periods subsequent to the date of our report, is subject to the risk that there may be: (1) changes made to the system or controls; (2) changes in processing requirements; (3) changes required because of the passage of time; or (4) degree of compliance with the policies or procedures may alter the validity of such conclusions. We appreciate the efforts of Mozilla Community to improve global CA security and please don't hesitate to contact us for further details. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
