Kurt, Thank your for raising this issue.
As documented in the bug you referenced, there was a good deal of confusion about Mozilla's acceptance (or not) of SwissSign's 2017 audit statements. Mozilla rejected the first statements and then asked questions about the second set of statements but never clearly rejected them. A verbal agreement was reached that SwissSign would obtain new audits, but it resulted in only one of their 3 included roots being re-audited later in 2017. Given the lack of documentation, I am willing to accept that as a misunderstanding of scope between Mozilla and SwissSign. The result is that we have 2017 audit statements in CCADB that are marked as having been accepted despite the significant concerns that were raised in the bug you referenced. I believe the fact that the audit period extended for more than a year was caused by SwissSign's (understandable) decision to use a different auditor this year. However, I agree that this is a problem because it directly contradicts BR section 8.1 which states "An audit period MUST NOT exceed one year in duration" and Mozilla's requirement that "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually". I believe these new audit statements (both for the Platinum and Silver roots) should be rejected on that basis, and I would also welcome a response from SwissSign and/or their auditors. In addition, Kathleen is researching why this was not flagged by CCADB when the audit cases were processed. When choosing to switch auditors for 2018, SwissSign asked Mozilla to permit them to use TUV Austria prior to the firm's formal eIDAS accreditation. Given that the individuals performing the audits were well-known as auditors for TUV Germany who moved to the Austrian entity, Mozilla agreed to this exception as permitted under Root Store Policy section 3.2. TUV Austria has since informed us that they have received their accreditation. Finally, the audit submitted for the (not yet included) SwissSign Silver G3 root is point-in-time, and thus not acceptable as documented in https://bugzilla.mozilla.org/show_bug.cgi?id=1142323#c44 I have discussed this with SwissSign's auditors, and their belief was that a point-in-time report is appropriate when no certificates have been issued from a root during the period. I do not agree with this interpretation and plan to have further discussions with ETSI folks on this topic (WebTrust has already confirmed that it is possible report on a root over a period-of-time even when no issuance has occurred). Meanwhile, I believe that TUV Austria may reissue the reports for this root as period-of-time since the audits themselves covered the entire period. - Wayne On Wed, Aug 22, 2018 at 1:32 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2018-08-21 21:03, Kathleen Wilson wrote: > > Mozilla: Overdue Audit Statements > > Root Certificates: > > SwissSign Platinum CA - G2** > > > > ** Audit Case in the Common CA Database is under review for this root > > certificate. > > > > Standard Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8861552 > > Audit Statement Date: 2017-03-30 > > BR Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8861552 > > BR Audit Statement Date: 2017-03-30 > > CA Comments: null > > Is this not properly marked in the database? > > I found https://bugzilla.mozilla.org/show_bug.cgi?id=1374381, which > seems to be related to it, and was closed. > > The linked audits there: > - For one claiming the period covering 2015: The statement does not > state which period was covered. > - For one claiming the period covering 2016: The statement does not > state which period was covered. A previous report from the auditor for > that period stated that it was a point in time audit. > The changed report removed this sentence: "KPMG has performed a point in > time audit. The reference date is 8 March 2017." and replaced > "We were not engaged to and did not conduct an examination, the object > of which would be the expression of an opinion on the Application for > Extended Validation (EV) Certificate. Accordingly, we do not express > such an opinion. Had we performed additional procedures, other matters > might have come to our attention that would have been reported to you" > with: > "KPMG has assessed the architecture, operation and procedures on a > sample approach although we have not assessed every configuration > setting on technical devices." > - The report from a new auditor covered the period: March, 9th 2017 > until June, 6th 2018, which is longer than 1 year. > > > Kurt > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy