1374381 - SwissSign: BRs require full annual audits

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Kathleen Wilson]

SwissSign provided their annual audit statement:
https://bug1142323.bmoattachments.org/attachment.cgi?id=8853299

Problems noted in it:
-- "Agreed-upon procedures engagement" - special words for audits - does not necessarily encompass the full scope
-- "surveillance certification audits" - does not necessarily mean a full audit (which the BRs require annually)
-- "point in time audit" -- this means that the auditor's evaluation only covered that point in time (note a period in time)
-- "only intended for the client" -- Doesn't meet Mozilla's requirement for public-facing audit statement.
-- "We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation (EV) Certificate. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you." -- some of the included root certs are enabled for EV treatment, so need an EV audit as well.


According to section 8.1 of the CA/Browser Forum's Baseline Requirements: 
"Certificates that are capable of being used to issue new certificates MUST ... be ... fully audited in line with all remaining requirements from this section. 
...
The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods. An audit period MUST NOT exceed one year in duration."

So, a full period-in-time audit is required every year.

After I voiced concern (https://bugzilla.mozilla.org/show_bug.cgi?id=1142323#c27) the CA provided an updated audit statement to address the concerns I had raised in the bug:
https://bugzilla.mozilla.org/attachment.cgi?id=8867948
I do not understand how the audit statement can magically change from point-in-time to a period-in-time.

Comment 1

[Corneia Enke]

Comments from the Auditor to the raised Points:

Point in time Audit:
Mozilla's comment refers to the first version of the conformation letter (KPMG had changed the wording in the second one). We acknowledge that the introduction of the expression "point-in-time', which is usually used in the context of ETSI audits, is not helpful in a combined audit.
As described in the audit report the sampling used by KPMG covers the entire year dating back to the previous audit.

It's debatable whether a combined ETSI - CA / Browser Forum audit SHOULD be called 'period-of-time' or' point-in-time' audit. Not using such an indication would be our preferred approach in this case.

However, since ETSI does not make this distinction we are happy to align the wording with CA / Browser Forum.

SwissSign were able to provide all evidences requested by the auditors.

***

It is highly desirable to harmonize requirements since ETSI will not change its standards based on a single request from KPMG. In the future, it would be good if we could safely conduct an  ETSI - CA / Browser Forum based audit, knowing up-front whether ETSI can be the decisive point of referene or not. Given the overwhelming importance of eIDAS in the European market place it would be benefitial if a report could be titled "ETSI audit report 201x".

The Mozilla CA Policy requires us to indicate, which type of audit was performed. If ETSI is not accepted as the decisive standard we suggest this is added to the policy: "Whenever a CA / Browser Forum compliant audit is performed, it must be mentioned that the audit is of "the 'period-of-time' type".

The maturity level of ETSI standards for PKI is very high and KPMG strongly recommends its customers to perform this type of audit.

Comment 2

[Corneia Enke]

Agreed-upon procedures engagement - special words for Audits:

Answer KPMG: This is a legal term used in every PKI report issued by KPMG. Since the scope is precisely explained in both the engagement letter and the report by KPMG we suggest to repeat the wording - all relevant (ETSI EN) standards are listed in both the engagement letter and the report.
'Agreed upon' stands for 'standards that have been agreed by KPMG and its client in an engagement letter'. KPMG always uses its complete ETSI EN audit program.
Swiss accreditation body SECO SAS had approved and accredited KPMG's ETSI EN audit programs and working template in October 2016 after a complete witness assessment and in addition at KPMG on site assessement by an indepdendent industry PKI expert had taken place. Recommendations phrased by the expert were added to the program before SECO SAS approval was received.


"We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation (EV) Certificate. "
Answer KPMG: We had originally used KPMG Legal proposed wording, which has been used for many years.


"only intended for the client" 
Answer KPMG: This is a legal term used in every report issued by KPMG. It does not mean that Mozilla or another entitled party do not have access to the report. It is, however, necessary to get formal approval from KPMG before a report is dissiminated to a party other than KPMG's client.
There is no indication that Mozilla could not get a copy of the report if need be. Note that clarification requires approval by a KPMG partner - it may take a week to provide the report. SwissSign has offered to personally show the report in a Mozilla office if this is benefitial and helps to gain time.


"surveillance certification audits" - does not necessarily mean a full audit (which Mozilla and the BRs require annually)
Answer KPMG: The expression "surveillance" is not applicable to this type of audit. Since a full audit must be conducted we will use the expression "full audit".
The expression 'surveillance' was acceptable for ETSI TS-based PKI audits, which are no longer conducted.

Comment 3

[Ryan Sleevi]

(In reply to Corneia Enke from comment #1)
> Comments from the Auditor to the raised Points:
> 
> Point in time Audit:
> Mozilla's comment refers to the first version of the conformation letter
> (KPMG had changed the wording in the second one). We acknowledge that the
> introduction of the expression "point-in-time', which is usually used in the
> context of ETSI audits, is not helpful in a combined audit.
> As described in the audit report the sampling used by KPMG covers the entire
> year dating back to the previous audit.

Could you indicate where in the audit report the period is specified? The report notes that it executed a "main certification audit in year 2017", and while it notes the engagement period (9 January 2017 to 8 March 2017), does not note the period under examination.

> It's debatable whether a combined ETSI - CA / Browser Forum audit SHOULD be
> called 'period-of-time' or' point-in-time' audit. Not using such an
> indication would be our preferred approach in this case.

Could you indicate what is believed to be debatable about this? I'm not sure what the intent of a "CA / Browser Forum audit" is meant, as the CA/Browser Forum does not itself develop the audit standards.

The mostly widely used audit standard for publicly trusted, website CAs is "Webtrust for CAs", which is modeled after a SOC 3 report, and which the criteria was based on ISO 21188. Of the two types of SOC 3 (Type 1 and Type 2), the intent of a period of time is to reflect a continuous assessment of the security controls and operations at an organization for the duration, and to review changes made during that time and the impact as to the overall compliance, combined with sampling to ensure the effectiveness of those controls.

My understanding of the ETSI criteria is that it attempts to represent a certification audit with respect to stated compliance of controls, and then maintain that certification through 7.9 and 7.10 of ISO/IEC 17065. In this sense, the desire from Mozilla is to understand the scope of controls assessed, and the period of time over which they were assessed, with the expectation that the period of information and activities not exceed one year, and be fully contiguous with the activities of the previous audit.

So if a certification audit was granted on 2017-04-01, on the basis of an examination of information and controls for the period of 2016-01-01 to 2017-01-01, then the subsequent certification audit would be expected on 2018-04-01, and to have examined all activities, controls, and reporting on any nonconformities discovered or detected for the period of 2017-01-01 to 2018-01-01.

With respect to reporting and the suitability for consumption by Mozilla, would it be sufficient to document the audit scope with respect to the date of activities examined? This would be in addition to what appears to be the existing documentation of the audit time (c.f. 7.4.2 of EN 319 403)

> It is highly desirable to harmonize requirements since ETSI will not change
> its standards based on a single request from KPMG. In the future, it would
> be good if we could safely conduct an  ETSI - CA / Browser Forum based
> audit, knowing up-front whether ETSI can be the decisive point of referene
> or not. Given the overwhelming importance of eIDAS in the European market
> place it would be benefitial if a report could be titled "ETSI audit report
> 201x".

It is hoped with the above clarifications, it is clearer why "ETSI Audit Report 201x" would be detrimental towards the goals of acceptance by Mozilla CA Policy. For example, Mozilla considers the expiration of a certification (or periodicity) to be within one year of its issuance (7.1.1(e) of 17065), that the scope of the audit include explicit dates for which to review the activities and processes (of which the end date must be no more than one year from the start date, and for which the certification date must be within 90 days of the end date), that any nonconformities for that duration be documented (this is the distinction between 'clean'), etc.

With such reporting specified, it would be reasonable to consider "ETSI audit report 201x" as appropriate - but it's a requirement to ensure the necessary information as applicable to Mozilla's (and others') requirements is satisfied.

This is not unique to KPMG - audits from other conformance assessment bodies (such as https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/6765UE_s.pdf ) fail to sufficiently document the scope of activities examined.

This is a requirement of Mozilla's, as documented in https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

Hopefully, with the above clarifications, it may be possible for KPMG to issue the necessary reporting that satisfies these requirements.

Comment 4

[Ryan Sleevi]

(In reply to Corneia Enke from comment #2)
> Answer KPMG: This is a legal term used in every PKI report issued by KPMG.
> Since the scope is precisely explained in both the engagement letter and the
> report by KPMG we suggest to repeat the wording - all relevant (ETSI EN)
> standards are listed in both the engagement letter and the report.
> 'Agreed upon' stands for 'standards that have been agreed by KPMG and its
> client in an engagement letter'. KPMG always uses its complete ETSI EN audit
> program.
> Swiss accreditation body SECO SAS had approved and accredited KPMG's ETSI EN
> audit programs and working template in October 2016 after a complete witness
> assessment and in addition at KPMG on site assessement by an indepdendent
> industry PKI expert had taken place. Recommendations phrased by the expert
> were added to the program before SECO SAS approval was received.

As this terminology has, in the past, been used to limit the scope of conformance assessment, perhaps being explicit that the full scope of controls and activities of the relevant ETSI EN criteria and profiles would be sufficient to resolve this?

> "We were not engaged to and did not conduct an examination, the objective of
> which would be the expression of an opinion on the Application for Extended
> Validation (EV) Certificate. "
> Answer KPMG: We had originally used KPMG Legal proposed wording, which has
> been used for many years.

The ambiguity is in trying to understand whether this means that KPMG did not perform an assessment of controls related to the EVCP, or whether this is some other statement about the scope of the audit.

Perhaps this is ambiguity with respect to the terminology of "certificate" - with respect to the relevant technical standards, the 'certificate' in one reading may represent an X.509 certificate that SwissSign AG may be applying for a particular website - while another terminology may be a certificate of conformance to the necessary ETSI EN 319 411-1 EVCP profile.

> 
> "only intended for the client" 
> Answer KPMG: This is a legal term used in every report issued by KPMG. It
> does not mean that Mozilla or another entitled party do not have access to
> the report. It is, however, necessary to get formal approval from KPMG
> before a report is dissiminated to a party other than KPMG's client.
> There is no indication that Mozilla could not get a copy of the report if
> need be. Note that clarification requires approval by a KPMG partner - it
> may take a week to provide the report. SwissSign has offered to personally
> show the report in a Mozilla office if this is benefitial and helps to gain
> time.

The goal of Mozilla's program is to ensure that sufficient certification documentation, pursuant with 7.7.1 of ISO/IEC 17065, is publicly provided and available. It is NOT a goal to require that the Audit Report, pursuant to 7.4.4 of EN 319 403, be publicly available - that may be provided to the TSP alone, at present.

> "surveillance certification audits" - does not necessarily mean a full audit
> (which Mozilla and the BRs require annually)
> Answer KPMG: The expression "surveillance" is not applicable to this type of
> audit. Since a full audit must be conducted we will use the expression "full
> audit".
> The expression 'surveillance' was acceptable for ETSI TS-based PKI audits,
> which are no longer conducted.

Correct. The goal is to ensure a full assessment and conformance to the necessary criteria, examining data, processes, and activities of no greater than one year in duration.

Comment 5

[Ryan Sleevi]

Kathleen, Gerv: Can I assume by the lack of activity on this bug that Mozilla has accepted the existing audit?

For comparison, consider the audit at https://bugzilla.mozilla.org/show_bug.cgi?id=1391063#c13 which includes the statement: "The audit was conducted on 22th – 24th February 2017 covering the timeframe 27th February 2016 to 21st February 2017. It was a full audit covering all aspects of the standard performed."

Comment 6

[Gervase Markham [:gerv]]

(In reply to Ryan Sleevi from comment #5)
> Kathleen, Gerv: Can I assume by the lack of activity on this bug that
> Mozilla has accepted the existing audit?

No. I agreed with SwissSign at the F2F in Berlin that they would get some different auditors, who were already familiar with their systems, to do a replacement audit. I asked Connie for an update on 4th September; she said: "As agreed with you, we will submit another audit report" and "Yes we are doing a second audit so we will provide the second statement as soon as the audit is finished." This is due to be ready at the end of September.

Gerv

Comment 7

[Ryan Sleevi]

Gerv: Would you mind updating the bug then with the remediation outlined? I'm not sure what was discussed in the F2F :)

It sounds like the whiteboard should be:

[ca-compliance] [remediation-accepted] Next Update - 2017-09-XX (unclear if a specific date was set; if not, perhaps 2017-10-01)?

Comment 8

[Reinhard Dietrich]

To whom it concerns

We had some issues (availiablity of auditor ressources) to find the audit date with our second auditor. 
The onsite audit will be peformed next week, so that we expect the audit report and audit statement afterwards in a timly manner.
And will update you as soon the report and statement audit will be available.

Comment 9

[Ryan Sleevi]

Can you confirm that the audit engagement began?

On the assumption it has, I'm updating this to be 2017-12-01 to reflect the standard time to produce such reports.

Comment 10

[Reinhard Dietrich]

Yes we can confirm that the audit engagement has started

Comment 11

[Corneia Enke]

Attachment: AA2017113001_Gold_G2_s.pdf

Audit Report for G2

Comment 12

[Corneia Enke]

Attachment: AA2017113002_Gold _G3_s.pdf

Audit Report for G3

Comment 13

[Kathleen Wilson]

These audit statements look good to me. I will create and process and Audit Case in the CCADB for these.

Thanks!

Comment 14

[Wayne Thayer]

I'm reopening this bug because I do not believe that the remediation was completed to Mozilla's expectations. Specifically, SwissSign has 3 included roots but the newer audit statements submitted in comment 11 only cover one of them. New audit reports have recently been provided for the other two:

https://it-tuv.com/wp-content/uploads/2018/07/AA2018070301_Audit_Attestation_TA_CERT__SwissSign_Platinum_G2_signed.pdf
https://it-tuv.com/wp-content/uploads/2018/07/AA2018070303_Audit_Attestation_TA_CERT__SwissSign_Silver_G2_signed.pdf

However, these cover the period beginning March 9, 2017. This leaves the period prior to that date only covered by the KPMG audit that resulted in this bug. This is a violation of Mozilla's policy 3.1.3 stating that "Successive audits MUST be contiguous (no gaps)".

I am requesting that SwissSign provide a detailed explanation of these events. I am particularly interested in an explanation of why all three roots weren't re-audited at the same time as the Gold root, what exceptions SwissSign believes Mozilla made that permit the policy violation created by not having the other two roots re-audited, and any evidence SwissSign has that Mozilla did in fact approve those exceptions.

Comment 15

[Corneia Enke]

The Gold G2 and G3 Root is currently audited by TüV TRUST IT.
We planned the audit for Gold G2 and G3 after finishing the audits for the Platinum and Silver Root CA as the audit for Gold CA G2 and G3 is still valid until November 30, 2018.

We have signed a framework agreement with TüV TRUST IT in order to resubmit the audit implementation and reports properly and on time in the future.
The audit for the Gold Root G2 and Gold Root G3 started in July and shall be completed in October 2018.
Further planning foresees that the audit for all CAs (Silver, Gold and Platinum G2 and G3) included in the root store and registered for inclusion will start again in December to complete the audit by February. SwissSign thus wants to ensure that all root CAs are audited at the same time and can be submitted uniformly by March of the respective calendar year. 

Best Regards Cornelia Enke

Comment 16

[Wayne Thayer]

Cornelia: thank you for your response. It did not answer my questions. I am specifically interested in the events that have led to a 1-year gap in the accepted audits for the Silver and Platinum roots, and what understanding or misunderstanding there may have been about Mozilla's expectations in comment 6, which I interpret to mean that Mozilla expected SwissSign to acquire new audits for all roots, not just the Gold roots.

Comment 17

[Corneia Enke]

Hello Wayne,

KPMG's 2017 audit met the formal requirements (in full and over the entire reporting period). However, the audit statement was not accepted because the first draft used the wrong wording. Subsequently, KPMG prepared a second version of the statement which complied with the formal provisions. At no time were results falsified or modified. There were ambiguities in the interpretation of the Point in time and Period in Time reports. 

In any case, KPMG's original audit for the reporting period March 2016 to March 2017 was carried out correctly and completely on site.

The incorrect audit statement and its correction by KPMG led to major discussions. As SwissSign had a second auditor in the company due to the European eIDAS certification. SwissSign suggested that for simplicity's sake SwissSign will go for a second opinion and present it to Mozilla. Mozilla agreed to this approach. A second audit were therefore carried out on the same subject for the same scope and reporting period, both reports came to the same conclusion. The second opinion referred to the OV and EV (Gold Root) certificates.
After the audit the result was accepted by Mozilla and the bug report was closed by Mozilla, we assumed that this is sufficient as proof.

However, we as TSP were not satisfied with the performance of the audit last year. After problems arose again in the new audit on ZertES, SwissSign immediately took measures in consultation with Mozilla and Microsoft and decided on a drastic solution - namely a complete change to a new auditor. For this reason, the SwissSign audit statement this year was delayed.

To ensure that this situation will not again occur we agreed a detailed planning with our new auditor. With the submitted audit plan SwissSign warrants that the audit statements for the next time will be submitted simultaneously, on time and of high quality across all root and there subordinated issuing CAs in the long term.

Best Regards Cornelia Enke

Comment 18

[Reinhard Dietrich]

The certificate business depends on trust and transparency. We therefore support all efforts in this direction.

At the first sight the impression may arise that SwissSign cannot guarantee continuity with regard to external audits because
- the second opinion was submitted only for the Gold Root G2 and G3 and their Sub CAs
- and in year 2018 a change of auditor took place, which led to a late submission of the audit attestation

In the following, SwissSign explains how the audit history has developed since 2013

We would like to consider the following topics separately:
(1) How does the auditor have to perform the audit (regulations to the auditor regarding audit)
(2) performed audits
(3) Coverage of uninterrupted and existing audit statements

(1) Regulations to the auditor regarding audit
==============================================

The qualified auditor appointed by SwissSign is KPMG. KPMG is the only auditor accredited in Switzerland for recognition of TSP in accordance with the Swiss Electronic Signature law. For this reason, SwissSign originally chose KPMG as auditor. KPMG received accreditation for the PKI-ETSI standards from the Swiss Accreditation Service SAS.

see accreditation document: https://www.sas.admin.ch/sas/en/home/akkreditiertestellen/akkrstellensuchesas/_jcr_content/par/externalcontent.external.exturl.pdf/aHR0cHM6Ly9zYXNkYi5jbGllbnRzLmxpaXAuY2gvbWVkaWEvcG/RmL1NDRVNtLTAwNzEtZGUucGRm.pdf

According to this accreditation document, KPMG must perform the audits in accordance with ISO/IEC 17021: "Conformity assessment -- Requirements for bodies providing audit and certification of management systems".
Under Chapter 9.6.3.1.1 of these Regulations, a “full-surveillance period-of-time audit” must be carried out in the event of recertification. (see ISO/IEC 17021-1:2015 Chapter 6.3 Recertification).

In accordance with the aforementioned requirements every recertification audit by KPMG was performed for the period of an SwissSign audit year (period of-time audit). That means every audit covers the period form March to March. 


(2) performed Audits
====================

Our regular audit year lasts from March to March.

Covered period, Audit period, performed audit:
03/2013 to 03/2014, Q1/2014, Recertification audit (called “main Audit” in the Audit statement) performed by KPMG
03/2014 to 03/2015, Q1/2015, surveillance audit (called “surveillance certification audit” in the Audit statement) performed by KPMG
03/2015 to 03/2016, Q1/2016 surveillance audit (called “surveillance certification audit” in the Audit statement) performed by KPMG
03/2016 to 03/2017, Q1/2017, Recertification audit (called “main certification Audit” in the Audit statement) performed by KPMG
10/2016 to 10/2017, Q3/2017, full annual audit performed by TüV-IT (2nd opinion audit to the KPMG audit from Q1/2017)
03/2017 to 03/2018, Q1/2018, full annual audit performed by TüV Trust IT
All these audits have been successful passed and show clean reports. On the basis of the timeline the list above demonstrates that the audit chain is gapless and the necessary audits have been performed from 03/2013 throughout 03/2018 (covered periods). 


(3) Coverage of uninterrupted and existing audit statements
===========================================================

After the initial audit, the purpose of the audits is always to give a statement about the past period as well as to obtain assurance that the next period will run in conformity (see ISO/IEC 17021-1:2015). The audit attestations should also be understood in this sense.

Audit attestation dated 10 April 2014 (covering period 2013)
------------------------------------------------------------
link: https://repository.swisssign.com/attestations/10-04.2014-SwissSign-Confirmation-2014.pdf

Audit attestation dated 2 April 2015 (covering period 2014)
------------------------------------------------------------
Link: https://repository.swisssign.com/attestations/02-04-2015-SwissSign-Confirmation-2015.pdf

Audit attestation dated 18 March 2016 (covering period 2015)
------------------------------------------------------------
Link: https://repository.swisssign.com/attestations/18-03-2016-SwissSign-Confirmation-2016.pdf

Citation: 
“KPMG has executed a main certification audit in year 2013, and surveillance certification audits in 2014 and 2015 against the mandatory standardizations listed in the following section (specified information/procedure/results).
SwissSign issues certificates under the following Certification Authorities:
SwissSign Silver G2 	SwissSign Silver G3
SwissSign Gold G2 	SwissSign Gold G3
SwissSign Platinum G2 	SwissSign Platinum G3”

These audit attestations will therefore cover the periods 2013, 2014 and 2015.

Audit attestation dated 10 May 2017 (covering period 2016)
----------------------------------------------------------
Link: https://repository.swisssign.com/attestations/10-05-2017-SwissSign-Confirmation-2017.pdf

Citation: 
«KPMG performs continuous PKI audits for SwissSign AG and has executed a main certification audit in year 2017” 

As KPMG first provided an audit statement that did not correctly reflect the nature and scope of the audit, there was irritation about the audit as such. Therefore, SwissSign has offered to conduct an additional audit as a second opinion, which should show that KPMG's corrected audit statement is in line with the facts. By closing the bug, SwissSign assumed that this was also Mozilla's view.


Audit Attestation SwissSign ETSI Assessment 2017 No. AA2017113001 
-----------------------------------------------------------------
Link: https://repository.swisssign.com/attestations/30-11-2017-Audit_attestation_Gold_G3_s.pdf
Link: https://repository.swisssign.com/attestations/30-11-2017-Audit_attestation_Gold_G2_s.pdf


Audit Attestation for SwissSign AG Reference: AA2018070301 (covering period 2017)
---------------------------------------------------------------------------------
Links:
https://repository.swisssign.com/attestations/03-07-2018-Audit_Attestation_TA_CERT__SwissSign_Platinum_G2_signed.pdf
https://repository.swisssign.com/attestations/03-07-2018-Audit_Attestation_TA_CERT__SwissSign_Platinum_G3_signed.pdf
https://repository.swisssign.com/attestations/03-07-2018-Audit_Attestation_TA_CERT__SwissSign_Silver_G2_signed.pdf
https://repository.swisssign.com/attestations/03-07-2018-Audit_Attestation_TA_CERT__SwissSign_Silver_G3_signed.pdf

This attestation covers the period from March, 9th 2017 until June, 6th 2018, which corresponds to the Common CA Database (CCADB) entries.

We therefore believe that the required uninterrupted and gapless audit cycle has been demonstrated since at least 2013 until today (03/2013 –  03/2018). 

Over all we would like to state, that a second and detailed sight at the audit situation of SwissSign shows:

-	that SwissSign was audited by an accepted and accredited auditor (KPMG/TüV IT/TüV TRUST IT)
-	the covered audit period is gapless from 03/2013 until 03/2018
-	all the audits have been successfully passed by SwissSign (all audits have clear reports).

Based on these statements we conclude that SwissSign’s audit track is gapless and complies with all the applicable requirements (e.g. of the Mozilla Foundation, the Swiss law, third party regulations).



For convenience only we provide the following
Citations from ISO ISO/IEC 17021-1:2015 Chapter 6.3 Recertification
=================================================

9.6.3.1 Recertification audit planning

9.6.3.1.1 The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. A recertification audit shall be planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document. This shall be planned and conducted in due time to enable for timely renewal before the certificate expiry date.

9.6.3.1.2 The recertification activity shall include the review of previous surveillance audit reports and consider the performance of the management system over the most recent certification cycle.

9.6.3.1.3 Recertification audit activities may need to have a stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating (e.g. changes to legislation).

NOTE Such changes can occur at any time during the certification cycle and the certification body might need to perform a special audit (see 9.6.4), which might or might not be a two-stage audit.


9.6.3.2 Recertification audit

9.6.3.2.1 The recertification audit shall include an on-site audit that addresses the following:

a) the effectiveness of the management system in its entirety in the
    light of internal and external changes and its continued relevance
    and applicability to the scope of certification;

b) demonstrated commitment to maintain the effectiveness and improvement
    of the management system in order to enhance overall performance;

c) the effectiveness of the management system with regard to achieving
    the certified client's objectives and the intended results of the
    respective management system (s).

9.6.3.2.2 For any major nonconformity, the certification body shall define time limits for correction and corrective actions. These actions shall be implemented and verified prior to the expiration of certification.

9.6.3.2.3 When recertification activities are successfully completed prior to the expiry date of the existing certification, the expiry date of the new certification can be based on the expiry date of the existing certification. The issue date on a new certificate shall be on or after the recertification decision.

9.6.3.2.4 If the certification body has not completed the recertification audit or the certification body is unable to verify the implementation of corrections and corrective actions for any major nonconformity (see 9.5.2.1) prior to the expiry date of the certification, then recertification shall not be recommended and the validity of the certification shall not be extended. The client shall be informed and the consequences shall be explained.

9.6.3.2.5 Following expiration of certification, the certification body can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry date shall be based on prior certification cycle.

Comment 19

[Wayne Thayer]

Reinhard: thank you for providing such a detailed response to my questions.

The central disagreement her is Mozilla's acceptance of KPMG's 2017 audits. I agree with SwissSign that these roots were indeed audited, but it seems likely to me that Mozilla's intent was to reject those audits. I would point to the term "replacement audit" used in comment #6 to support my position.

If indeed Mozilla rejected the 2017 KPMG audits, then do they still fulfill the requirement of section 3.1.3 for "Successive audits MUST be contiguous (no gaps)." I feel strongly that this is not the case.

If Mozilla rejected the 2017 KPMG audits and policy section 3.1.3 is triggered, then SwissSign should have procured new audits for all roots for the entire period. The fact that this bug was closed does not relieve SwissSign of that responsibility. There is no documentation that I can find indicating that Mozilla explicitly agreed to an exception to section 3.1.3 of our policy.

I do believe that this issue has now been satisfactorily documented. I will leave this bug open for a few days pending further comments before considering this issue closed with respect to the currently-included G2 roots, and I will plan to raise it again as part of the G3 root inclusion request (1142323).