Given the number of incidents documented over the past year [1][2] for misissuance and other nonconformities, I would expect many of the 2018 period-of-time WebTrust audit statements being submitted by CAs to include qualifications describing these matters. In some cases, that is exactly what we’re seeing. One of many positive examples is Deloitte’s report on Entrust [3] that includes 2 of the 3 issues documented in Bugzilla.
Unfortunately, we are also beginning to see some reports that don’t meet my expectations. I was surprised by GlobalSign’s clean reports [4] from Ernst & Young, but after examining their incident bugs, it appears that the only documented misissuance that occurred during their audit period was placing metadata in Subject fields. I can understand how this could be regarded as a minor nonconformity rather than a qualification, but I would have liked to at least see the issue noted in the reports. Ernst & Young’s clean reports on Comodo CA [5] is the example that prompted this message. We have documented the following issues that occurred during Comodo’s last audit period: * Misissuance using "CNAME CSR Hash 2" method of domain control validation (bug 1461391) * Assorted misissuances and failure to respond to an incident report within 24 hours (bug 1390981) * CAA misissuance (bugs 1398545,1410834, 1420858, and 1423624 ) I would like to know if Comodo reported these issues to EY. I asked Comodo this question four weeks ago [6] but have not received a response. I will acknowledge that ETSI audits are an even bigger problem (Actalis and SwissSign are recent examples [7][8][9]). Due to the structure of those audits, there is no provision for issuing a qualified report. WebTrust audits are theoretically much better in this regard, but only if auditors actually find and report on issues! I don’t think it is productive to expect auditors to search Bugzilla for a list of issues to copy into their reports, but I do think it is reasonable to question the competence and trustworthiness of the auditor when so many known issues are absent from their report. In this particular example, unless additional facts are presented, I plan to notate the auditor’s record in CCADB with this issue. We have documented a number of other issues with Ernst & Young - including the disqualification of their Hong Kong branch - but this is the first issue I’m aware of from their New York office. We also recently received a very “good” qualified audit report from EY’s Denmark office on Telia [10]. - Wayne [1] https://wiki.mozilla.org/CA/Incident_Dashboard [2] https://wiki.mozilla.org/CA/Closed_Incidents [3] https://www.entrustdatacard.com/-/media/documentation/licensingandagreements/entrust_baselinerequirements_2018.pdf?la=en&hash=BC08BAF5AE81B2EE66A2146EE7710FB2F4F33BA6 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1388488 [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993 [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993#c5 [7] https://www.actalis.it/documenti-en/actalisca_audit_statement_2018.aspx [8] https://it-tuv.com/wp-content/uploads/2018/07/AA2018070301_Audit_Attestation_TA_CERT__SwissSign_Platinum_G2_signed.pdf [9] https://it-tuv.com/wp-content/uploads/2018/07/AA2018070303_Audit_Attestation_TA_CERT__SwissSign_Silver_G2_signed.pdf [10] https://bugzilla.mozilla.org/show_bug.cgi?id=1475115 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy