Update: I heard back from Certinomis quickly. They provided the following attestation statement from LSTI dated 23-November on the same day. The audit was conducted back in July, so we still need an explanation from Certinomis of why it took LSTI so long to provide the report.
https://bugzilla.mozilla.org/attachment.cgi?id=9027230 Unfortunately, the audit period listed in the report begins a week after the prior audit period ended. Certinomis says that this is a reporting mistake, so I have asked them to provide an updated attestation statement from LSTI. - Wayne On Tue, Nov 20, 2018 at 5:00 PM Wayne Thayer <wtha...@mozilla.com> wrote: > Thanks for pointing this out Kurt. The Certinomis / Docapost audit report > is now almost one month late. Also, last week the Certinomis representative > informed root programs that he was leaving his post and two others would be > taking his place. I have just emailed the two new representatives and asked > them to explain when we will see the audit report. I'm also concerned about > their numerous compliance bugs. > > - Wayne > > On Tue, Nov 20, 2018 at 3:15 PM Kurt Roeckx via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Tue, Oct 23, 2018 at 02:35:37PM -0700, Kathleen Wilson via >> dev-security-policy wrote: >> > > > Mozilla: Audit Reminder >> > > > Root Certificates: >> > > > Certinomis - Root CA >> > > > Standard Audit: >> > > > https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 >> > > > Audit Statement Date: 2017-07-24 >> > > > BR Audit: >> https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 >> > > > BR Audit Statement Date: 2017-07-24 >> > > > CA Comments: null >> > > >> > > This seems to be in French, and does not seem to even indicate >> > > when the audit was done, just that the report itself is valid for >> > > 2 years. >> > >> > Our official requirement for the audit statements to be in English is >> new in >> > version 2.6 of our policy (effective date July 1, 2018). Also, last >> July we >> > were still having difficulty getting the ETSI auditors on board with >> > specifying audit periods in their audit statements. >> >> So it seems nothing changed related to this in the last month, >> they are clearly late in providing a new audit statement. >> >> >> Kurt >> >> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
