Franck Leroy explained that LSTI was about to deliver the audit letter to Certinomis, but regarding the recent issue with TUV-IT, LSTI decided to postpone any attestation letter and to do further investigation on all their PTC CA clients" Certinomis had to provide further information to the LSTI, before they would issue their audit statement.
In a second time,in December 2018, LSTI explained that the 3 months delay to provide the final audit statement result of an overload work of their auditors so they delayed the validation of the Audit Le lundi 26 novembre 2018 22:39:45 UTC+1, Wayne Thayer a écrit : > Update: I heard back from Certinomis quickly. They provided the following > attestation statement from LSTI dated 23-November on the same day. The > audit was conducted back in July, so we still need an explanation from > Certinomis of why it took LSTI so long to provide the report. > > https://bugzilla.mozilla.org/attachment.cgi?id=9027230 > > Unfortunately, the audit period listed in the report begins a week after > the prior audit period ended. Certinomis says that this is a reporting > mistake, so I have asked them to provide an updated attestation statement > from LSTI. > > - Wayne > > On Tue, Nov 20, 2018 at 5:00 PM Wayne Thayer <wtha...@mozilla.com> wrote: > > > Thanks for pointing this out Kurt. The Certinomis / Docapost audit report > > is now almost one month late. Also, last week the Certinomis representative > > informed root programs that he was leaving his post and two others would be > > taking his place. I have just emailed the two new representatives and asked > > them to explain when we will see the audit report. I'm also concerned about > > their numerous compliance bugs. > > > > - Wayne > > > > On Tue, Nov 20, 2018 at 3:15 PM Kurt Roeckx via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> On Tue, Oct 23, 2018 at 02:35:37PM -0700, Kathleen Wilson via > >> dev-security-policy wrote: > >> > > > Mozilla: Audit Reminder > >> > > > Root Certificates: > >> > > > Certinomis - Root CA > >> > > > Standard Audit: > >> > > > https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 > >> > > > Audit Statement Date: 2017-07-24 > >> > > > BR Audit: > >> https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 > >> > > > BR Audit Statement Date: 2017-07-24 > >> > > > CA Comments: null > >> > > > >> > > This seems to be in French, and does not seem to even indicate > >> > > when the audit was done, just that the report itself is valid for > >> > > 2 years. > >> > > >> > Our official requirement for the audit statements to be in English is > >> new in > >> > version 2.6 of our policy (effective date July 1, 2018). Also, last > >> July we > >> > were still having difficulty getting the ETSI auditors on board with > >> > specifying audit periods in their audit statements. > >> > >> So it seems nothing changed related to this in the last month, > >> they are clearly late in providing a new audit statement. > >> > >> > >> Kurt > >> > >> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
