DigiCert WebTrust Audits
Categories
(CA Program :: CA Documents, task)
Tracking
(Not tracked)
People
(Reporter: michael.lettona, Assigned: kathleen.a.wilson)
Details
(Whiteboard: [ca-audits])
Attachments
(87 files, 6 obsolete files)
|
1.42 MB,
application/pdf
|
Details | |
|
1.36 MB,
application/pdf
|
Details | |
|
1.40 MB,
application/pdf
|
Details | |
|
1.45 MB,
application/pdf
|
Details | |
|
1.41 MB,
application/pdf
|
Details | |
|
1.43 MB,
application/pdf
|
Details | |
|
1.41 MB,
application/pdf
|
Details | |
|
1.42 MB,
application/pdf
|
Details | |
|
864.03 KB,
application/pdf
|
Details | |
|
887.86 KB,
application/pdf
|
Details | |
|
904.34 KB,
application/pdf
|
Details | |
|
300.99 KB,
application/pdf
|
Details | |
|
210.66 KB,
application/pdf
|
Details | |
|
66.41 KB,
application/pdf
|
Details | |
|
474.42 KB,
application/pdf
|
Details | |
|
59.46 KB,
application/pdf
|
Details | |
|
80.20 KB,
application/pdf
|
Details | |
|
210.66 KB,
application/pdf
|
Details | |
|
122.26 KB,
application/pdf
|
Details | |
|
80.60 KB,
application/pdf
|
Details | |
|
78.17 KB,
application/pdf
|
Details | |
|
110.63 KB,
application/pdf
|
Details | |
|
84.66 KB,
application/pdf
|
Details | |
|
66.97 KB,
application/pdf
|
Details | |
|
477.86 KB,
application/pdf
|
Details | |
|
303.41 KB,
application/pdf
|
Details | |
|
300.99 KB,
application/pdf
|
Details | |
|
303.41 KB,
application/pdf
|
Details | |
|
208.88 KB,
application/pdf
|
Details | |
|
210.66 KB,
application/pdf
|
Details | |
|
210.66 KB,
application/pdf
|
Details | |
|
288.73 KB,
application/pdf
|
Details | |
|
330.39 KB,
application/pdf
|
Details | |
|
216.54 KB,
application/pdf
|
Details | |
|
203.42 KB,
application/pdf
|
Details | |
|
311.73 KB,
application/pdf
|
Details | |
|
297.55 KB,
application/pdf
|
Details | |
|
243.60 KB,
application/pdf
|
Details | |
|
220.12 KB,
application/pdf
|
Details | |
|
219.00 KB,
application/pdf
|
Details | |
|
215.88 KB,
application/pdf
|
Details | |
|
110.55 KB,
application/pdf
|
Details | |
|
66.16 KB,
application/pdf
|
Details | |
|
69.46 KB,
application/pdf
|
Details | |
|
260.04 KB,
application/pdf
|
Details | |
|
284.02 KB,
application/pdf
|
Details | |
|
254.27 KB,
application/pdf
|
Details | |
|
274.72 KB,
application/pdf
|
Details | |
|
248.77 KB,
application/pdf
|
Details | |
|
255.91 KB,
application/pdf
|
Details | |
|
988.39 KB,
application/pdf
|
Details | |
|
997.84 KB,
application/pdf
|
Details | |
|
925.19 KB,
application/pdf
|
Details | |
|
707 bytes,
text/csv
|
Details | |
|
1.63 MB,
application/pdf
|
Details | |
|
1.53 MB,
application/pdf
|
Details | |
|
1.56 MB,
application/pdf
|
Details | |
|
97.94 KB,
application/pdf
|
Details | |
|
213.21 KB,
application/pdf
|
Details | |
|
488.48 KB,
application/pdf
|
Details | |
|
575.63 KB,
application/pdf
|
Details | |
|
252.12 KB,
application/pdf
|
Details | |
|
298.01 KB,
application/pdf
|
Details | |
|
263.83 KB,
application/pdf
|
Details | |
|
324.29 KB,
application/pdf
|
Details | |
|
412.92 KB,
application/pdf
|
Details | |
|
240.13 KB,
application/pdf
|
Details | |
|
259.82 KB,
application/pdf
|
Details | |
|
279.45 KB,
application/pdf
|
Details | |
|
342.28 KB,
application/pdf
|
Details | |
|
860.45 KB,
application/pdf
|
Details | |
|
272.90 KB,
application/pdf
|
Details | |
|
259.20 KB,
application/pdf
|
Details | |
|
318.91 KB,
application/pdf
|
Details | |
|
259.70 KB,
application/pdf
|
Details | |
|
12.31 KB,
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
Details | |
|
295.83 KB,
application/pdf
|
Details | |
|
278.92 KB,
application/pdf
|
Details | |
|
269.56 KB,
application/pdf
|
Details | |
|
785.41 KB,
application/pdf
|
Details | |
|
614.48 KB,
application/pdf
|
Details | |
|
773.27 KB,
application/pdf
|
Details | |
|
156.47 KB,
application/pdf
|
Details | |
|
1.42 MB,
application/pdf
|
Details | |
|
997.38 KB,
application/pdf
|
Details | |
|
1.10 MB,
application/pdf
|
Details | |
|
1.33 MB,
application/pdf
|
Details |
No description provided.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
|
|
Reporter | |
Comment 3•6 years ago
|
||
|
|
Reporter | |
Comment 4•6 years ago
|
||
|
|
Reporter | |
Comment 5•6 years ago
|
||
|
|
Reporter | |
Comment 6•6 years ago
|
||
|
|
Reporter | |
Comment 7•6 years ago
|
||
|
Assignee | |
Comment 8•6 years ago
|
||
Closing this bug, but this bug may continue to be used for uploading annual audit statements for this CA.
|
||
Comment 9•6 years ago
|
||
|
|
||
Comment 10•6 years ago
|
||
|
|
||
Comment 11•6 years ago
|
||
|
|
||
Comment 12•6 years ago
|
||
|
|
||
Comment 13•6 years ago
|
||
|
|
||
Comment 14•6 years ago
|
||
|
|
||
Comment 15•6 years ago
|
||
|
|
||
Comment 16•6 years ago
|
||
|
|
||
Comment 17•6 years ago
|
||
|
|
||
Comment 18•6 years ago
|
||
|
|
||
Updated•6 years ago
|
|
|
||
Comment 19•6 years ago
|
||
|
|
||
Comment 20•6 years ago
|
||
|
|
||
Comment 21•6 years ago
|
||
|
|
||
Comment 22•6 years ago
|
||
|
|
||
Comment 23•6 years ago
|
||
|
|
||
Comment 24•6 years ago
|
||
|
|
||
Comment 25•6 years ago
|
||
|
|
||
Comment 26•6 years ago
|
||
|
|
||
Comment 27•6 years ago
|
||
|
|
||
Comment 28•6 years ago
|
||
|
|
||
Comment 29•6 years ago
|
||
|
|
||
Comment 30•6 years ago
|
||
|
|
||
Comment 31•6 years ago
|
||
|
|
||
Comment 32•6 years ago
|
||
|
|
||
Comment 33•6 years ago
|
||
|
|
||
Comment 34•6 years ago
|
||
|
|
||
Comment 35•6 years ago
|
||
|
|
||
Comment 36•6 years ago
|
||
|
|
||
Comment 37•6 years ago
|
||
|
|
||
Comment 38•6 years ago
|
||
|
|
||
Comment 39•6 years ago
|
||
|
|
||
Comment 40•6 years ago
|
||
|
|
||
Comment 41•6 years ago
|
||
|
|
||
Comment 42•6 years ago
|
||
|
|
||
Comment 43•6 years ago
|
||
|
|
||
Comment 44•6 years ago
|
||
|
||
Comment 45•6 years ago
|
||
|
|
||
Comment 46•6 years ago
|
||
|
|
||
Comment 47•6 years ago
|
||
|
|
Reporter | |
Comment 48•5 years ago
|
||
|
|
Reporter | |
Comment 49•5 years ago
|
||
|
|
Reporter | |
Comment 50•5 years ago
|
||
|
|
Reporter | |
Comment 51•5 years ago
|
||
|
|
Reporter | |
Comment 52•5 years ago
|
||
|
|
Reporter | |
Comment 53•5 years ago
|
||
|
||
Comment 54•5 years ago
|
||
(For record keeping sake)
The attached audit periods are from April 1, 2018 to March 31, 2019.
The following incident reports were opened on or after 2018-04-01 against DigiCert. I did not include the upper-bound, to account for dates that occurred in the past but were only disclosed more recently:
https://bugzilla.mozilla.org/buglist.cgi?o1=greaterthan&short_desc_type=allwordssubstr&v1=2018-04-01&f1=creation_ts&short_desc=DigiCert&query_format=advanced&component=CA%20Certificate%20Compliance
Classifying some of these bugs:
- Mozilla Policy Violations
- Bug 1455150
- Bug 1451950
- Bug 1499585
- Bug 1518555 (Note: Incident occurred well before the bug was opened / audit period)
- Bug 1539296
- Bug 1527423
- Sub CAs and their Supervision
- Bug 1483639
- Bug 1451446 (Note: Incident occurred before the bug was opened / audit period)
- Bug 1533655
- Bug 1524875 (Note: Incident occurred before the bug was opened / audit period)
- Bug 1548719 (Note: Incident occurred after the audit period, before the report)
- Bug 1556906 (Note: Incident occurred after the audit period, before the report)
- DigiCert Failures with respect to the BRs
- Bug 1483715
- Bug 1500621
- Bug 1515564
- Bug 1515788
- Bug 1516453
- Bug 1516561
- Bug 1516545
- Bug 1523676
- Bug 1526154
- Bug 1516599
- Bug 1519572
- Bug 1517617
- Bug 1524875 (Note: Incident occurred before the bug was opened / audit period)
- Bug 1465600
- Bug 1531817
- Bug 1556948 (Note: Incident occurred after the audit period, before the report)
- Bug 1456655
- Bug 1551363 (Note: Incident occurred after the audit period, before the report)
- Bug 1550645 (Note: Incident occurred after the audit period, before the report)
Of those remaining, Bug 1563573 occurred after both the audit period and report, and is a Mozilla policy issue.
I highlight this, because Comment #51 only mentions Bug 1550645.
Jeremy, care to clarify the omission of the other bugs? I have not filtered for audit scope, and instead looked at DigiCert holistically, so please call out bugs which are not in scope of this audit, but which may be related to other DigiCert owned-or-operated roots in Mozilla's Program. However, for those issues in-scope, please identify them and clarify their ommission from reference from Management's Assertion and the report.
Of particular attention is https://wiki.mozilla.org/CA/Responding_To_An_Incident around revocation, and the need to have certain items listed as findings in the CA's next audit.
|
||
Comment 55•5 years ago
|
||
Ryan, I will be responding to this issue momentarily after reviewing the details of the bugs and audits you've noted above. Thanks for the reporting and your patience as we investigate the details to provide an adequate response.
|
|
||
Comment 56•5 years ago
|
||
|
|
||
Comment 57•5 years ago
|
||
Here is the status/disposition of the bugs noted above. Details are included in the attached file to this report.
In Summary:
31 Reported bugs in question
· 12 - Included in audit reports (DigiCert Annual, Quarterly OEM, Apple GeoRoot)
· 19 - Not included in audit reports
o 13 - Disclosed to auditors (we send them a snapshot of our incident management dashboard as part of the audit)
o 6 - Not disclosed to auditors with the following explanations:
· 1 - Not covered in audit because they are technically constrained (external sub-CA)
· 2 - Outside audit period - DC will disclose in next audit
· 2 - Outside audit period - external sub-CA will disclose in next audit
· 1 - Bug happened after DC auditor report generated
Please let us know if you have further questions.
|
|
||
Comment 58•5 years ago
|
||
Thanks Brenda. I'm a bit confused with this. Within the annual reports, I only saw one issue referenced, Bug 1550645. Did I misread Comment #51? Could you highlight where the other 11 are included in the annual report for that period?
With respect to those that occurred after the audit period concluded, but prior to the report issuance, AICPA professional standards provide for expectations with respect to the client disclosing adverse events outside of the audit period that may otherwise inform or color the reporting within the period. This, for example, can lead to the suspension of seals, if perhaps the controls examined turned out to be materially deficient with evidence after-the-fact. Is my understanding correct that DigiCert did not disclose those events, despite the audit report still being prepared?
|
|
||
Comment 59•5 years ago
|
||
Hi Ryan, For the 9 of the 11, they were all disclosed and included in our assertion letter for the Q4 2018 WTBR audit package (referenced in Comment 48; please see DigiCert Assertion letter page 2). For the 2 remaining, they were referenced in Apple's audit report, found here: http://www.apple.com/certificateauthority/ (WTBR link at the bottom).
In all cases that are valid for disclosure in an audit, except for one (referenced as: https://bugzilla.mozilla.org/show_bug.cgi?id=1523676), all bugs were disclosed to our auditors. To clarify, the ones that we marked as disclosed for the next audit, we have already disclosed those under the current 1H'2019 WebTrust audit that is in draft reporting.
For two items that were marked for external subCAs disclosing in their next audit cycle, the one related to CTJ happened outside of their 12-31-2018 audit year and they've been informed to notify their auditors as well as include in the next audit cycle. For the KPN outdated audit item, we were in touch with their auditors (KPMG) to ensure they completed their audit by the 31-May-2019 deadline we've set, and as noted in the bug.
Let me know if you have any further questions.
|
|
Reporter | |
Comment 60•5 years ago
|
||
|
|
Reporter | |
Comment 61•5 years ago
|
||
|
|
Reporter | |
Comment 62•5 years ago
|
||
|
|
||
Comment 63•5 years ago
|
||
I’m very concerned about this approach to reporting. To me, this calls into question the competency and forthrightness of the auditors. I do not believe it acceptable to omit disclosing these issues in a report that covers the entire period. This seems like a way for a CA or an auditor to abuse the disclosure process and mislead the community as to the assertions made, as they are not included within the annual audit provided.
|
|
||
Comment 64•5 years ago
|
||
Hi Ryan, as noted in Comment 59, we are disclosing incidents within the period they've occurred for the covering audits. The items noted in the 1H 2019 audit letters occurred after our 3/31 year end. WIth that said, we are also intending to disclose these incidents during our next annual audit period which we are converging to a 10/31 year end date. This will cover the short period of 4/1 through 10/31 of this year.
|
|
||
Comment 65•5 years ago
|
||
I cannot make sense of Comment #64. Comment #54 notes a number of incidents that occurred in a period which, during the audit report for that year, were omitted, on the basis that they were listed in some other audit report.
This argument makes the annual audit worthless. It was not worth the money to produce, because it provides zero assurance to relying parties that matters were disclosed if they examine that annual audit. To take such an interpretation to a logical extreme, one might argue that future DigiCert audits provided to Mozilla - whether quarterly, semi-annual, or annual - need not disclose any incidents, because DigiCert could also produce "other" audits to cover that period in which they were disclosed, so that they were not disclosed in the audits provided to Mozilla.
That's why I'm raising this as a serious issue now. To accept the current interpretation would be to undermine the value of the audits or the disclosure. I appreciate that they were listed in the quarterly audits, and that these were provided, but the choice to omit them from the annual report calls into serious question all of the audits provided. If that's not the intent, that's something that should be resolved ASAP.
If this is an issue where I'm misunderstanding the purpose or validity of the audits, I can totally appreciate a correction from your auditor about the relevant professional standards being exercised here to allow reporting for a period without opinining on other matters in that period. I realize that the disclosure of incidents - both by management and the auditor - is something fairly special with respect to the attestation engagements here. However, I cannot see how this is valid, and, as noted, undermines all of the audits provided to date.
|
|
||
Comment 66•5 years ago
|
||
We've had a discussion with our auditor, Scott Perry. Our auditor had sought guidance from WebTrust on the disclosure of items that have occurred within an audit period and had received guidance on format and content. From his perspective, the level of reporting is compliant with WebTrust standards. The items called out in the report are not material but the auditor felt they are not negligible and felt relying parties should be informed.
Our auditor and our company go over all Bugzilla items that have an audit impact during the course of all audits. While publicly reported, all items do not reach the level of disclosure in a public audit report based on our auditor’s professional opinion. Our auditor's recommendation is to speak with Webtrust and CPA Canada if the level of disclosure is not to your satisfaction, and to determine what accommodations can be made.
|
||
Comment 67•5 years ago
|
||
Brenda: I understand that DigiCert is obtaining audits with overlapping periods at the request of some root store operators. I further understand that incidents that occurred during those periods were disclosed by DigiCert to Scott Perry. Finally, I understand that the reports provided by Scott Perry list the findings on [at least one but not all] reports covering the period in which the finding was relevant.
Is that correct?
If so, that means any CA can "hide" findings (it's not clear if this only applies to "other matters" that, at the auditor's discretion, do not rise to the level of a qualification) by obtaining two overlapping audit reports - one scoped to the period relevant to the finding, and the other scoped to the full audit period.
Is that a logical conclusion from the auditor's discussion with WebTrust?
If so, is Scott Perry's assertion that they are not obligated to disclose the issues on all audits that cover the period in which an issue is relevant? Or that they are not permitted to do so? The former is a significant concern with the auditor (and it also raises a question about why DigiCert would accept audit reports that are incomplete); the latter is an issue that I would need to raise with the WebTrust folks.
|
|
||
Comment 68•5 years ago
|
||
Please see responses in-line below:
Brenda: I understand that DigiCert is obtaining audits with overlapping periods at the request of some root store operators. I further understand that incidents that occurred during those periods were disclosed by DigiCert to Scott Perry. Finally, I understand that the reports provided by Scott Perry list the findings on [at least one but not all] reports covering the period in which the finding was relevant.
Is that correct?
Yes, this is correct. The nature of what gets included in the audit opinion is the scope of the CAs included in the assertion. Within the audit, items that are brought to our auditor’s attention are items for potential disclosure.
If so, that means any CA can "hide" findings (it's not clear if this only applies to "other matters" that, at the auditor's discretion, do not rise to the level of a qualification) by obtaining two overlapping audit reports - one scoped to the period relevant to the finding, and the other scoped to the full audit period. Is that a logical conclusion from the auditor's discussion with WebTrust?
If so, is Scott Perry's assertion that they are not obligated to disclose the issues on all audits that cover the period in which an issue is relevant? Or that they are not permitted to do so? The former is a significant concern with the auditor (and it also raises a question about why DigiCert would accept audit reports that are incomplete); the latter is an issue that I would need to raise with the WebTrust folks.
As noted above, DigiCert has disclosed incidents that occurred during the periods to our auditor which we are required to do so for our management representation letter.
Here is Scott Perry’s statement regarding this matter:
AICPA professional standards drive the methodology of audits and the level of disclosure required by WebTrust reports. Items in a public report that are not material are under the discretion of the auditor for disclosure. The items that were included had relevance to Baseline Requirements but were deemed by the auditor not to affect his audit opinion. Scott Perry does advise you to raise this issue with WebTrust on further guidance on matters of emphasis.
|
|
||
Comment 69•5 years ago
|
||
I am (hopefully correctly) interpreting Scott Perry’s response to confirm that, the answer to Wayne’s question, the assertion is that they are not obligated to disclose the issues on all audits that cover the period in which an issue is present.
That does raise a significant concern with the auditor, in forming that opinion and approach, and DigiCert in accepting such reports. I defer to Wayne for his evaluation of the response as well.
|
||
Comment 70•5 years ago
|
||
|
|
||
Comment 71•5 years ago
|
||
I received a good suggestion today that maybe we should just include the incidents in the management assertion letters to ensure they don't get hidden/lost. I posted this to this bug as an addendum here. Going forward, we'll just include them as part of the main management assertion letter. That should help ensure that no matter what the auditor policy is, the issues are always captured in the audit summary.
|
|
||
Comment 72•5 years ago
|
||
I think it's unfortunate that the auditor has taken the position that they can disclose what they want and have no obligation to be consistent across reports covering overlapping periods of time. I will being this up with the WebTrust Task Force to determine if anything can be done.
Meanwhile, choosing to disclose incidents in their management assertions letter is a great way for CAs to let the community know that they have informed their Auditor. This is being discussed at https://groups.google.com/d/msg/mozilla.dev.security.policy/4Co_3FZxfLA/tNOXK1FAAAAJ
|
||
Comment 73•5 years ago
|
||
Corrected DC japan audit.
|
|
||
Comment 74•4 years ago
|
||
|
|
||
Comment 75•4 years ago
|
||
|
|
||
Comment 76•4 years ago
|
||
|
|
||
Comment 77•4 years ago
|
||
|
|
||
Comment 78•4 years ago
|
||
|
|
||
Comment 79•4 years ago
|
||
|
|
||
Comment 80•4 years ago
|
||
|
|
||
Comment 81•4 years ago
|
||
|
|
||
Comment 82•4 years ago
|
||
|
|
||
Comment 83•4 years ago
|
||
|
|
||
Comment 84•4 years ago
|
||
|
|
||
Comment 85•4 years ago
|
||
|
|
||
Comment 86•4 years ago
|
||
|
|
||
Comment 87•4 years ago
|
||
|
|
||
Comment 88•4 years ago
|
||
|
|
||
Comment 89•4 years ago
|
||
|
|
||
Comment 90•4 years ago
|
||
Martin: Have I misread the attachment in https://bugzilla.mozilla.org/show_bug.cgi?id=1458024#c88 , or does that report identify an issue that is both a CP/CPS violation, but there is no corresponding Bugzilla entry for/ Namely, "For 45 out of 45 certificates selected, the Basic Constraints criticality was false."
Violations of the CP/CPS are treated as incidents, and CAs are expected to revoke those certificates. For example, see Bug 1558552
|
|
||
Comment 91•4 years ago
|
||
It also seems that the following have non-compliance issues disclosed which have no corresponding Mozilla incidents:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1458024#c87 - Matters 2, 3, 4
- https://bug1458024.bmoattachments.org/attachment.cgi?id=9123453 - Matter 1
- https://bug1458024.bmoattachments.org/attachment.cgi?id=9123452 - Matter 1, 2, 3, 4
- https://bug1458024.bmoattachments.org/attachment.cgi?id=9123447 - Matter 2, 3, 4
- https://bug1458024.bmoattachments.org/attachment.cgi?id=9123445 - Matter 2
- https://bug1458024.bmoattachments.org/attachment.cgi?id=9123444 - Matter 1
- https://bug1458024.bmoattachments.org/attachment.cgi?id=9123443 - Matter 4
- https://bug1458024.bmoattachments.org/attachment.cgi?id=9123442 - Matter 4, 5
While I'm thrilled these issues are being disclosed in reports, I'm concerned that no corresponding Incident was created for this CPS or BR violations.
CC'ing Kathleen as a heads up for review, given that some of these are systemic issues that affect several CAs, and some are issues that seemingly impact only a few CAs.
|
|
||
Comment 92•4 years ago
|
||
Jeremy: CC'ing you on this as well, to make sure compliance is aware of the requests in Comment #90 / Comment #91 . Please file as new incidents if these are yet unreported, otherwise, please report the existing Bugzilla numbers here.
|
|
||
Comment 93•4 years ago
|
||
Hi Ryan, I will be responding to Comment #90 / Comment #91 early this coming week. Thank you, Brenda.
|
|
||
Comment 94•4 years ago
|
||
Attached is our management response to the matters of emphasis in our WebTrust audit letters that did not qualify the corresponding report(s). For clarity, these were items identified during the audit, which closed on January 29, 2019, and therefore, were not already part of an open Bugzilla. As part of an audit closing activity, management has an opportunity to respond to observations and non-qualifying items outside of the audit reports published. For transparency, we are addressing the “matters” here by publishing the response document for each item. We have closed all but one item, which we will update once we finalize discussion/next step.
|
|
||
Comment 95•4 years ago
|
||
|
|
||
Comment 96•4 years ago
|
||
Brenda: Your attachment cannot be opened. As mentioned in Comment #92, please open a new bug to provide incident reports and track resolution of these items.
We want to ensure that incident reports are on file, even for matters that do not materially impact the opinion, as they still represent matters of non-compliance with the BRs and Mozilla Policies.
|
|
||
Comment 97•4 years ago
|
||
Most of these aren't incidents or a non-compliance within the realm of Mozilla. Specifically, they are:
-
DigiCert didn't store the backup of CA private keys on a FIPS level 3 device. They are stored in a FIPS level 2 device in a safe. The level 3 bit for the backup was not set on some HSMs. This one does may require an incident report. We are still investigating to see if any of the public root backups are stored this way or just private root backups. If it does impact the public root backups, we'll file an incident report on it.
-
There are four private certs that BDO reviewed. They noted that they are are under a separate CPS. I can't tell why this was even noted in the audit since private certs are under a separate CPS. I think the complaint is that which CPS those belonged in wasn't clear.
-
During the final months of the audit period, we investigated 100% of the DigiCert certs. The complaint is that 100% is not random. I believe it is if the parameters of the random selection are between 100% and 100%. This is not really an incident but a disagreement on whether a 100% review of certs is "random".
-
We didn't have a human review logs after SC21 passed. We implemented automated reviews. This is a matter where the audit criteria are out of sync with the actual requirements. We're compliant with SC21 - the audit criteria are not.
-
We lost a vulnerability log back when we exited the Symantec data center, which does violate the document storage requirements. More accurately, Symantec/Verisign probably still has the log but we haven't been able to retrieve it. We're trying to get it to show we have it. We'll probably just file an incident on this one though since I have low expectations that we'll ever get this from them. We can prove that during the entire period vulnerability scans occurred - we just don't have legacy vulnerability logs.
-
The basicConstraints criticallity for code signing was defined as both "false" and "true" in the same CPS. So the CPS needs to be updated for code signing (so is out of scope of Mozilla)
-
There is an ICA that does not include the Key ID field of the AKI. The RFC actually says:
" The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used to
sign a certificate. This extension is used where an issuer has
multiple signing keys (either due to multiple concurrent key pairs or
due to changeover). The identification MAY be based on either the
key identifier (the subject key identifier in the issuer's
certificate) or the issuer name and serial number.The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a ""self-signed""
certificate, the authority key identifier MAY be omitted. The
signature on a self-signed certificate is generated with the private
key associated with the certificate's subject public key. (This
proves that the issuer possesses both the public and private keys.)
In this case, the subject and authority key identifiers would be
identical, but only the subject key identifier is needed for
certification path building."
The keyID is based on the issuer name and serial number in this cert. There's not a non-compliance. It's wrong in the audit criteria.
|
|
||
Comment 98•4 years ago
|
||
Two corrections:
-
The vulnerability issue was not related to a transfer of data centers. It was caused by switching providers of the service from Qualys to Tenable. We can show we performed the required assessment (and any risks are captured in JIRA for remediation), but not the actual vulnerability assessments. This is something we do every month. However, the CPS doesn't actually require retention of vulnerability assessments. This was a matter of emphasis because they couldn't trace the vulnerability remediation to a report from scan - just the time of the scan. There was no violation of the BRs or the CPS, just difficult traceability.
-
The certs I thought were private are actually clientAuth only (not private). There is a clause in the Symantec CPS that talked about these things. in particular that these certs are validated in accordance with the specific customers. The auditors missed this footnote which allowed the usage of pseudonyms in non sMIME and clientAuth certs. Take your pick - they're out of scope for Mozilla AND they actually do comply with the CPS. Either way, this shouldn't have been flagged by the auditor.
|
|
||
Comment 99•4 years ago
|
||
DigiCert folks: I asked twice, first in Comment #92, and again in Comment #96, to track these as new bugs.
As this was apparently not followed, I've opened Bug 1613505 to track the discussion.
Please repeat your responses there. In providing an Incident Response for each matter, please indicate the report, the matter, and DigiCert's response.
Please continue to use this bug for providing your reports, but do not use this bug to provide your responses, as this does not appropriately track the incident, as requested in Comment #92.
|
|
||
Comment 100•4 years ago
|
||
Ryan, Per Comment 96, understood. I will carry over the follow up/discussion on the new bug. Thanks.
|
|
||
Comment 101•4 years ago
|
||
|
|
||
Comment 102•4 years ago
|
||
|
|
||
Comment 103•4 years ago
|
||
|
|
||
Comment 104•4 years ago
|
||
|
|
||
Comment 105•4 years ago
|
||
|
|
||
Comment 106•4 years ago
|
||
|
|
||
Comment 107•4 years ago
|
||
|
|
||
Comment 108•4 years ago
|
||
|
|
||
Comment 109•4 years ago
|
||
|
|
||
Comment 110•3 years ago
|
||
|
|
||
Comment 111•3 years ago
|
||
|
|
||
Comment 112•3 years ago
|
||
|
|
||
Comment 113•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 114•3 months ago
|
||
|
|
Reporter | |
Comment 115•3 months ago
|
||
|
|
Reporter | |
Comment 116•3 months ago
|
||
|
|
Reporter | |
Comment 117•3 months ago
|
||
Description
•