Wayne,

Thanks for raising this. I definitely find it surprising to see nothing
noted on Comodo's report, as you call out.

As another datapoint, consider this recent audit that is reported to be
from DigiCert, by way of Amazon Trust Services' providing the audits for
their externally operated sub-CAs in [A]. The scope of the WebTrust BR
audit report in [B] contains in its scope "DigiCert ECC Extended Validation
Server CA" of
hash FDC8986CFAC4F35F1ACD517E0F61B879882AE076E2BA80B77BD3F0FE5CEF8862,
which [C]. During that time, this CA issued a cert [D] as part of their
improperly configured Onion issuance in [E], which was remediated in early
March, within the audit period for [B]. I couldn't find it listed in the
report.

Looking over that period, there were two other (resolved) DigiCert issues,
[F] and [G], which affect the CAs listed in scope of [B].

I was a bit surprised by this, as like you, I would have expected these to
be called out by both Management's Assertion and the auditor.
http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf
provides some of the illustrative reports, but it appears to only provide
templates for management on the result of obtaining a qualified report.

[A] https://bugzilla.mozilla.org/show_bug.cgi?id=1482930
[B] https://bug1482930.bmoattachments.org/attachment.cgi?id=8999669
[C] https://crt.sh/?id=23432431
[D] https://crt.sh/?id=351449246
[E] https://bugzilla.mozilla.org/show_bug.cgi?id=1447192
[F] https://bugzilla.mozilla.org/show_bug.cgi?id=1465600
[G] https://bugzilla.mozilla.org/show_bug.cgi?id=1398269#c29

On Tue, Aug 7, 2018 at 1:32 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Given the number of incidents documented over the past year [1][2] for
> misissuance and other nonconformities, I would expect many of the 2018
> period-of-time WebTrust audit statements being submitted by CAs to include
> qualifications describing these matters. In some cases, that is exactly
> what we’re seeing. One of many positive examples is Deloitte’s report on
> Entrust [3] that includes 2 of the 3 issues documented in Bugzilla.
>
> Unfortunately, we are also beginning to see some reports that don’t meet my
> expectations. I was surprised by GlobalSign’s clean reports [4] from Ernst
> & Young, but after examining their incident bugs, it appears that the only
> documented misissuance that occurred during their audit period was placing
> metadata in Subject fields. I can understand how this could be regarded as
> a minor nonconformity rather than a qualification, but I would have liked
> to at least see the issue noted in the reports.
>
> Ernst & Young’s clean reports on Comodo CA [5] is the example that prompted
> this message. We have documented the following issues that occurred during
> Comodo’s last audit period:
> * Misissuance using "CNAME CSR Hash 2" method of domain control validation
> (bug 1461391)
> * Assorted misissuances and failure to respond to an incident report within
> 24 hours (bug 1390981)
> * CAA misissuance (bugs 1398545,1410834, 1420858, and 1423624 )
>
> I would like to know if Comodo reported these issues to EY. I asked Comodo
> this question four weeks ago [6] but have not received a response.
>
> I will acknowledge that ETSI audits are an even bigger problem (Actalis and
> SwissSign are recent examples [7][8][9]). Due to the structure of those
> audits, there is no provision for issuing a qualified report. WebTrust
> audits are theoretically much better in this regard, but only if auditors
> actually find and report on issues! I don’t think it is productive to
> expect auditors to search Bugzilla for a list of issues to copy into their
> reports, but I do think it is reasonable to question the competence and
> trustworthiness of the auditor when so many known issues are absent from
> their report.
>
> In this particular example, unless additional facts are presented, I plan
> to notate the auditor’s record in CCADB with this issue. We have documented
> a number of other issues with Ernst & Young - including the
> disqualification of their Hong Kong branch - but this is the first issue
> I’m aware of from their New York office. We also recently received a very
> “good” qualified audit report from EY’s Denmark office on Telia [10].
>
> - Wayne
>
> [1] https://wiki.mozilla.org/CA/Incident_Dashboard
> [2] https://wiki.mozilla.org/CA/Closed_Incidents
> [3]
> https://www.entrustdatacard.com/-/media/documentation/
> licensingandagreements/entrust_baselinerequirements_2018.pdf?la=en&hash=
> BC08BAF5AE81B2EE66A2146EE7710FB2F4F33BA6
> [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1388488
> [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993
> [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993#c5
> [7] https://www.actalis.it/documenti-en/actalisca_audit_
> statement_2018.aspx
> [8]
> https://it-tuv.com/wp-content/uploads/2018/07/AA2018070301_
> Audit_Attestation_TA_CERT__SwissSign_Platinum_G2_signed.pdf
> [9]
> https://it-tuv.com/wp-content/uploads/2018/07/AA2018070303_
> Audit_Attestation_TA_CERT__SwissSign_Silver_G2_signed.pdf
> [10] https://bugzilla.mozilla.org/show_bug.cgi?id=1475115
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to