Siemens Audit Documents
Categories
(CA Program :: CA Documents, task)
Tracking
(Not tracked)
People
(Reporter: michael.lettona, Assigned: kathleen.a.wilson)
Details
(Whiteboard: [ca-audits])
Attachments
(5 files)
|
Assignee | |
Comment 1•7 years ago
|
||
|
Reporter | |
Comment 2•7 years ago
|
||
|
||
Comment 3•6 years ago
|
||
|
||
Comment 4•6 years ago
|
||
Steve: the newly attached audit document appears to be a "certificate". While the annex may provide all the information Mozilla requires, I am told that CAs should be able to provide us with an attestation statement, which is the report intended for root programs. While this is not [currently] a Mozilla requirement, would it be possible for you to provide the Siemens attestation statement?
|
|
||
Comment 5•6 years ago
|
||
Hi Wayne, I'm happy to check with Siemens on this. Would an additional attachment here suffice or would you prefer DQS to sign over the attestation in a single updated document?
|
|
||
Comment 6•6 years ago
|
||
A separate doc would be fine - if we have the attestation statement then we (Mozilla) don't need or care about the certificate.
|
||
Comment 7•6 years ago
|
||
I'll speak with DQS about this request and get back to you ASAP.
@wayne: You can assign this bug to me.
|
|
||
Comment 8•6 years ago
|
||
Thanks Rufus. There's no need to assign this since the bug is just here as a place to publish the audit docs.
|
|
||
Comment 9•6 years ago
|
||
I had an email exchange with DQS and they are asking for a template of this "attestation statement". I got an example from Steve but they would like to have a template. Until recently Microsoft did publish something for its root store program but this was removed. Do you have a template?
|
|
||
Comment 10•6 years ago
|
||
The requirements for the attestation statement are listed in section 4.3 of TS 119 403-2: https://www.etsi.org/deliver/etsi_ts/119400_119499/11940302/01.01.01_60/ts_11940302v010101p.pdf Mozilla doesn't require this info in a specific template, but I understand that the "attestation statement" is a specific form of ETSI report.
Here is another example: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2018072001_T-Systems_Deutsche-Telekom-Root-CA-2_V2_s.pdf
The aCAB'c is maintaining a template, but to my knowledge it's not publicly available: https://www.acab-c.com/
|
|
||
Comment 11•6 years ago
|
||
Disclaimer: We cannot speak for any other CA audited according to ETSI nor for ETSI itself.
We discussed the situation with our auditor and a representative of ETSI (Mr. Fiedler). In our common understanding, the report annexed to our ETSI audit certificate from winter 2019 fulfills all requirements defined in ETSI 119 403 – 2 . We understand that you would like to have a more ‘structured’ report and will require our auditor in the 2020 audit to use the ‘template’ provided by ACABc as basis for the annex to the certificates. Is this proposed procedure okay for you?
|
|
||
Comment 12•6 years ago
|
||
Rufus: Thank you for researching this question and providing a response. I will also discuss this with ETSI representatives as I strive to gain a better understanding of ETSI certificates versus attestation reports.
Your proposal to use the aCAB'c template for next year's report is quite acceptable. I will reiterate that Mozilla currently has no requirements for the format of the report, and my questions are an attempt to better understand the information that we are receiving. Thanks again.
|
|
||
Comment 13•6 years ago
|
||
Corrects two incorrectly stated SHA256 hashes.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 14•4 months ago
|
||
Description
•