Open Bug 1549862 Opened 4 months ago Updated 15 days ago

Entrust: Outdated audit statement for intermediate cert

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: kwilson, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance] - Next Update - 16-August 2019)

Attachments

(2 files)

The following intermediate cert has an outdated audit statement.

Please update its record in the CCADB with the current audit statement information as soon as possible.

https://ccadb.org/cas/intermediates

Please also provide an Incident Report for having an overdue audit statement.
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

CA Owner: Entrust

  • Certificate Name: LAWtrust2048 CA2
    SHA-256 Fingerprint: 4957DED341054641139CBAB3B96006545D094D449590FB08AE9A78D05A40BD83
    Standard Audit Period End Date (mm/dd/yyyy): 12/31/2017

Also, I received the following bounced email notification, indicating that the CA Email Alias that we have in the CCADB for Entrust isn't working:

The following message to <roots@entrust.com> was undeliverable.
The reason for the problem:
5.1.1 - Bad destination email address 'reject'

Assignee: wthayer → bruce.morton

We are working with the CA. The audit has been successfully completed and we are just waiting for the auditor to complete QA on the report and issue the report. We expect to have the final report in a week or 2, so let's plan for 24 May 2019.

I do not believe that the WebTrust group has pushed out requirements to all auditors as there seems to be an inconsistency about the content of the reports and the timing of delivery.

I will investigate the email issue, please use my email address in the interim.

Thanks, Bruce.

Status: NEW → ASSIGNED

Bruce: Any updates?

Flags: needinfo?(bruce.morton)

(In reply to Ryan Sleevi from comment #3)

Bruce: Any updates?

I have reached out to the owner of the LAWtrust CA. The audit is complete and there were no adverse findings. LAWtrust is still waiting for the auditor to provide the final report. I have suggested that they ask for a draft report. It would seem that neither LAWtrust nor the auditor are respecting the 3 months deadline. We will directly address this issue, so we will not have this problem in 2020.

Flags: needinfo?(bruce.morton)

Note from auditor dated 11 June 2019 providing the status of the audit.

Thanks Bruce. This provides an update, but doesn't provide an explanation for the delay. Could you help provide details for this?

Flags: needinfo?(bruce.morton)

LAWtrust's auditor, KPMG, has provided another delay in delivering the annual audit report. They have claimed that they had to do further control testing. After speaking to LAWtrust management, there is an issue with a LAWtrust root and the change of facilities. This issue does not impact the intermediate certificate which Entrust issued to LAWtrust, but does impact the release of the report. LAWtrust is asking for the report either be delivered or be split to minimize the delay.

Flags: needinfo?(bruce.morton)
Flags: needinfo?(wthayer)

The audit report has been delivered, see https://www.lawtrust.co.za/uploads/LT2048CA_ISAE3000_Assurance%20Letter_Final.pdf. I will update the CCADB.

I have confirmed that this audit has been entered into CCADB and is pending verification.

Bruce: this audit documents what appears to be a serious issue that affects Entrust's ability to properly oversee this subCA: Lawtrust does not itself maintain evidence to ensure that subscriber information is properly authenticated by the Registration Authorities. Can you provide a description and timeline for Entrust's response to this audit report, along with actions that have or will be taken in response?

Flags: needinfo?(wthayer) → needinfo?(bruce.morton)

(In reply to Wayne Thayer [:wayne] from comment #9)

I have confirmed that this audit has been entered into CCADB and is pending verification.

Bruce: this audit documents what appears to be a serious issue that affects Entrust's ability to properly oversee this subCA: Lawtrust does not itself maintain evidence to ensure that subscriber information is properly authenticated by the Registration Authorities. Can you provide a description and timeline for Entrust's response to this audit report, along with actions that have or will be taken in response?

Hi Wayne, we have made the same observation and are investigating. Please note that LAWtrust issues S/MIME and Client Authentication certificates to legal firms and uses Registration Authorities. The RAs must sign an RA Charter which requires them to have an annual compliance audit. We will respond with an update when we receive more information.

Flags: needinfo?(bruce.morton)

Hi Wayne: LAWtrust has about 9 RAs which are trusted entities in South Africa. The RAs have all signed RA agreements and perform verification for their customers and partners, which receive certificates. The RAs are spot checked by LAWtrust through each audit period. The RAs are compliance audited by the LAWtrust auditor on an annual basis with the exception of the current audit period. We are still investigating, but our understanding is the RA audit was skipped due to the lateness of the audit report.

We have talked to LAWtrust about how this issue can be rectified. I am on leave until 12 August 2019, but am hoping to provide an update that week.

Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 16-August 2019
You need to log in before you can comment on or make changes to this bug.