Closed Bug 1305582 Opened 9 years ago Closed 9 years ago

IdenTrust - Updated 2016 WebTrust Reports

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: kathleen.a.wilson)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; rv:11.0) like Gecko Steps to reproduce: IdenTrust has completed its WebTrust audist and auditors have complete reports. The names of the IdenTrust roots that were audited and are in the Mozilla program are: • DST ACES CA X6 • DST Root CA X3 • IdenTrust Public Sector Root CA 1 • IdenTrust Commercial Root CA 1 The links for the report: WebTrust for CA version 2.0 https://cert.webtrust.org/ViewSeal?id=2107 WebTrust for Baseline Requirements https://cert.webtrust.org/ViewSeal?id=2106
Kathleen, would you have expected the issue from https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c22 and https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c23 to be called out in this audit report?
(In reply to Ryan Sleevi from comment #1) > Kathleen, would you have expected the issue from > https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c22 and > https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c23 to be called out in > this audit report? It's not clear to me what subCAs were audited. Unfortunately, that's the current state of audit reports. I think we need to resolve this at a higher level, i.e. set expectations via the CAB Forum about what information must be provided in audit statements -- that the audit statements need to clearly identify which root and intermediate certs were covered in the audit. https://cert.webtrust.org/SealFile?seal=2106&file=pdf "... from July 1, 2015, to June 30, 2016, management of IdenTrust has: ... Maintained effective controls to provide reasonable assurance that: ... Network and Certificate System Security Requirements set forth by the CA/Browser Forum were met for its root CAs - DST ACES CA X6 - DST Root CA X3 - IdenTrust Public Sector Root CA 1 - IdenTrust Commercial Root CA 1 - and associated subordinate CAs for the programs known as TrustID and ACES, based on the AICPA/CPA Canada WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security - Version 2. "" Does "associated subordinate CAs" include all of the subCAs in all of those CA Hierarchies? Or just their direct subCAs (i.e. one level down)? I'm sure that the BR audit did not cover the "Federal Bridge CA 2013" subCA. I don't even know if the audit covered both of the "IdenTrust ACES CA 1" subCA certificates.
I've updated the Common CA Database (aka CA Community in Salesforce) with the 2016 audit info.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.