I went ahead and noted these DigiCert audits as a concern on the CCADB record for Scott S. Perry CPA, PLLC.
I do think it's important for CAs to disclose these issues to their auditors, but I also expect auditors to discover them. - Wayne On Wed, Aug 15, 2018 at 8:21 AM Ben Wilson <ben.wil...@digicert.com> wrote: > Re-sending > > -----Original Message----- > From: Ben Wilson > Sent: Wednesday, August 15, 2018 8:34 AM > To: 'r...@sleevi.com' <r...@sleevi.com>; Wayne Thayer <wtha...@mozilla.com > > > Cc: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: RE: Misissuance and BR Audit Statements > > Thanks, Ryan and Wayne, > > Going forward we'll work to improve our management letter disclosures to > include reported mis-issuances during the audit period. > > Sincerely yours, > > Ben > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ryan Sleevi via dev-security-policy > Sent: Monday, August 13, 2018 3:57 PM > To: Wayne Thayer <wtha...@mozilla.com> > Cc: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Misissuance and BR Audit Statements > > Wayne, > > Thanks for raising this. I definitely find it surprising to see nothing > noted on Comodo's report, as you call out. > > As another datapoint, consider this recent audit that is reported to be > from DigiCert, by way of Amazon Trust Services' providing the audits for > their externally operated sub-CAs in [A]. The scope of the WebTrust BR > audit report in [B] contains in its scope "DigiCert ECC Extended Validation > Server CA" of hash > FDC8986CFAC4F35F1ACD517E0F61B879882AE076E2BA80B77BD3F0FE5CEF8862, > which [C]. During that time, this CA issued a cert [D] as part of their > improperly configured Onion issuance in [E], which was remediated in early > March, within the audit period for [B]. I couldn't find it listed in the > report. > > Looking over that period, there were two other (resolved) DigiCert issues, > [F] and [G], which affect the CAs listed in scope of [B]. > > I was a bit surprised by this, as like you, I would have expected these to > be called out by both Management's Assertion and the auditor. > http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf > provides some of the illustrative reports, but it appears to only provide > templates for management on the result of obtaining a qualified report. > > [A] https://bugzilla.mozilla.org/show_bug.cgi?id=1482930 > [B] https://bug1482930.bmoattachments.org/attachment.cgi?id=8999669 > [C] https://crt.sh/?id=23432431 > [D] https://crt.sh/?id=351449246 > [E] https://bugzilla.mozilla.org/show_bug.cgi?id=1447192 > [F] https://bugzilla.mozilla.org/show_bug.cgi?id=1465600 > [G] https://bugzilla.mozilla.org/show_bug.cgi?id=1398269#c29 > > On Tue, Aug 7, 2018 at 1:32 PM, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Given the number of incidents documented over the past year [1][2] for > > misissuance and other nonconformities, I would expect many of the 2018 > > period-of-time WebTrust audit statements being submitted by CAs to > > include qualifications describing these matters. In some cases, that > > is exactly what we’re seeing. One of many positive examples is > > Deloitte’s report on Entrust [3] that includes 2 of the 3 issues > documented in Bugzilla. > > > > Unfortunately, we are also beginning to see some reports that don’t > > meet my expectations. I was surprised by GlobalSign’s clean reports > > [4] from Ernst & Young, but after examining their incident bugs, it > > appears that the only documented misissuance that occurred during > > their audit period was placing metadata in Subject fields. I can > > understand how this could be regarded as a minor nonconformity rather > > than a qualification, but I would have liked to at least see the issue > noted in the reports. > > > > Ernst & Young’s clean reports on Comodo CA [5] is the example that > > prompted this message. We have documented the following issues that > > occurred during Comodo’s last audit period: > > * Misissuance using "CNAME CSR Hash 2" method of domain control > > validation (bug 1461391) > > * Assorted misissuances and failure to respond to an incident report > > within > > 24 hours (bug 1390981) > > * CAA misissuance (bugs 1398545,1410834, 1420858, and 1423624 ) > > > > I would like to know if Comodo reported these issues to EY. I asked > > Comodo this question four weeks ago [6] but have not received a response. > > > > I will acknowledge that ETSI audits are an even bigger problem > > (Actalis and SwissSign are recent examples [7][8][9]). Due to the > > structure of those audits, there is no provision for issuing a > > qualified report. WebTrust audits are theoretically much better in > > this regard, but only if auditors actually find and report on issues! > > I don’t think it is productive to expect auditors to search Bugzilla > > for a list of issues to copy into their reports, but I do think it is > > reasonable to question the competence and trustworthiness of the > > auditor when so many known issues are absent from their report. > > > > In this particular example, unless additional facts are presented, I > > plan to notate the auditor’s record in CCADB with this issue. We have > > documented a number of other issues with Ernst & Young - including the > > disqualification of their Hong Kong branch - but this is the first > > issue I’m aware of from their New York office. We also recently > > received a very “good” qualified audit report from EY’s Denmark office > on Telia [10]. > > > > - Wayne > > > > [1] https://wiki.mozilla.org/CA/Incident_Dashboard > > [2] https://wiki.mozilla.org/CA/Closed_Incidents > > [3] > > https://www.entrustdatacard.com/-/media/documentation/ > > licensingandagreements/entrust_baselinerequirements_2018.pdf?la=en&has > > h= > > BC08BAF5AE81B2EE66A2146EE7710FB2F4F33BA6 > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1388488 > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993 > > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1472993#c5 > > [7] https://www.actalis.it/documenti-en/actalisca_audit_ > > statement_2018.aspx > > [8] > > https://it-tuv.com/wp-content/uploads/2018/07/AA2018070301_ > > Audit_Attestation_TA_CERT__SwissSign_Platinum_G2_signed.pdf > > [9] > > https://it-tuv.com/wp-content/uploads/2018/07/AA2018070303_ > > Audit_Attestation_TA_CERT__SwissSign_Silver_G2_signed.pdf > > [10] https://bugzilla.mozilla.org/show_bug.cgi?id=1475115 > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy