On 9/11/14, 2:08 AM, [email protected] wrote:
Dear Mozilla Community,
This is an unofficial statement from the Auditor (DNBCONS) in order to clarify
certain points discussed on this thread:
Thank you for bringing this to our attention.
From the BR audit statement that was provided:
https://bug555156.bugzilla.mozilla.org/attachment.cgi?id=8401262
"We have audited the performed Assertion by the ANF Autoridad de
Certificacion Management, (hereinafter, ANF AC) according its services
as Certification Authority for issuing SSL certificates (through the
“ANF High Assurance EV CA1” subordinate issued by “ANF Global Root CA”)
as of March 31st 2014."
....
"Our audit was conducted in accordance with standards for assurance
engagements established by the AICPA/CICA and, accordingly, included (1)
obtaining an understanding of ANF AC’ SSL certificate life cycle
management practices and procedures, including its relevant controls
over the issuance, renewal and revocation of SSL certificates; (2)
evaluating the suitability of the design of the controls; and (3)
performing such other procedures as we considered necessary in
the circumstances."
So, apparently the audit did not include the “ANF Server CA” certificate
and hierarchy.
ANF, is there a reason why the "ANF Server CA" is not mentioned in the
audit statements?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
