Closed Bug 1549862 Opened 6 years ago Closed 6 years ago

Entrust: Outdated audit statement for intermediate cert

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance] [audit-failure])

Attachments

(9 files)

1017345MV_LawTrust_PKI Assessment_Letter on Progress.pdf
81.29 KB, application/pdf
Details
1017345MV_LawTrust_PKI Assessment_Letter on Progress_2019-06-28.pdf
328.83 KB, application/pdf
Details
Signed BII RA Charter.pdf
524.82 KB, application/pdf
Details
ABSA BIO Charter 020 01-12-2015.pdf
369.07 KB, application/pdf
Details
Credit Guarantee RA Charter Dec 2013.pdf
474.01 KB, application/pdf
Details
LT_ISP_IS_RAC_LT2048CA2_V005_2018-12-14.pdf
952.57 KB, application/pdf
Details
Nedbank RA.pdf
224.01 KB, application/pdf
Details
SARS RA Charter_Signed03082015.pdf
3.02 MB, application/pdf
Details
FIC Act Booklet 202012.pdf
2.51 MB, application/pdf
Details

The following intermediate cert has an outdated audit statement.

Please update its record in the CCADB with the current audit statement information as soon as possible.

https://ccadb.org/cas/intermediates

Please also provide an Incident Report for having an overdue audit statement.
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

CA Owner: Entrust

  • Certificate Name: LAWtrust2048 CA2
    SHA-256 Fingerprint: 4957DED341054641139CBAB3B96006545D094D449590FB08AE9A78D05A40BD83
    Standard Audit Period End Date (mm/dd/yyyy): 12/31/2017

Also, I received the following bounced email notification, indicating that the CA Email Alias that we have in the CCADB for Entrust isn't working:

The following message to <roots@entrust.com> was undeliverable.
The reason for the problem:
5.1.1 - Bad destination email address 'reject'

Assignee: wthayer → bruce.morton

We are working with the CA. The audit has been successfully completed and we are just waiting for the auditor to complete QA on the report and issue the report. We expect to have the final report in a week or 2, so let's plan for 24 May 2019.

I do not believe that the WebTrust group has pushed out requirements to all auditors as there seems to be an inconsistency about the content of the reports and the timing of delivery.

I will investigate the email issue, please use my email address in the interim.

Thanks, Bruce.

Status: NEW → ASSIGNED

Bruce: Any updates?

Flags: needinfo?(bruce.morton)

(In reply to Ryan Sleevi from comment #3)

Bruce: Any updates?

I have reached out to the owner of the LAWtrust CA. The audit is complete and there were no adverse findings. LAWtrust is still waiting for the auditor to provide the final report. I have suggested that they ask for a draft report. It would seem that neither LAWtrust nor the auditor are respecting the 3 months deadline. We will directly address this issue, so we will not have this problem in 2020.

Flags: needinfo?(bruce.morton)

Note from auditor dated 11 June 2019 providing the status of the audit.

Thanks Bruce. This provides an update, but doesn't provide an explanation for the delay. Could you help provide details for this?

Flags: needinfo?(bruce.morton)

LAWtrust's auditor, KPMG, has provided another delay in delivering the annual audit report. They have claimed that they had to do further control testing. After speaking to LAWtrust management, there is an issue with a LAWtrust root and the change of facilities. This issue does not impact the intermediate certificate which Entrust issued to LAWtrust, but does impact the release of the report. LAWtrust is asking for the report either be delivered or be split to minimize the delay.

Flags: needinfo?(bruce.morton)
Flags: needinfo?(wthayer)

The audit report has been delivered, see https://www.lawtrust.co.za/uploads/LT2048CA_ISAE3000_Assurance%20Letter_Final.pdf. I will update the CCADB.

I have confirmed that this audit has been entered into CCADB and is pending verification.

Bruce: this audit documents what appears to be a serious issue that affects Entrust's ability to properly oversee this subCA: Lawtrust does not itself maintain evidence to ensure that subscriber information is properly authenticated by the Registration Authorities. Can you provide a description and timeline for Entrust's response to this audit report, along with actions that have or will be taken in response?

Flags: needinfo?(wthayer) → needinfo?(bruce.morton)

(In reply to Wayne Thayer [:wayne] from comment #9)

I have confirmed that this audit has been entered into CCADB and is pending verification.

Bruce: this audit documents what appears to be a serious issue that affects Entrust's ability to properly oversee this subCA: Lawtrust does not itself maintain evidence to ensure that subscriber information is properly authenticated by the Registration Authorities. Can you provide a description and timeline for Entrust's response to this audit report, along with actions that have or will be taken in response?

Hi Wayne, we have made the same observation and are investigating. Please note that LAWtrust issues S/MIME and Client Authentication certificates to legal firms and uses Registration Authorities. The RAs must sign an RA Charter which requires them to have an annual compliance audit. We will respond with an update when we receive more information.

Flags: needinfo?(bruce.morton)

Hi Wayne: LAWtrust has about 9 RAs which are trusted entities in South Africa. The RAs have all signed RA agreements and perform verification for their customers and partners, which receive certificates. The RAs are spot checked by LAWtrust through each audit period. The RAs are compliance audited by the LAWtrust auditor on an annual basis with the exception of the current audit period. We are still investigating, but our understanding is the RA audit was skipped due to the lateness of the audit report.

We have talked to LAWtrust about how this issue can be rectified. I am on leave until 12 August 2019, but am hoping to provide an update that week.

Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 16-August 2019

(In reply to Bruce Morton from comment #8)

The audit report has been delivered, see https://www.lawtrust.co.za/uploads/LT2048CA_ISAE3000_Assurance%20Letter_Final.pdf. I will update the CCADB.

Incident Report of the Late Audit Report

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

On April 2, 2019 at 14:00 UTC, Entrust Datacard received an automated email from CCADB indicating that the LAWtrust intermediate CA audit report was outdated.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

April 2, 2019, 14:35 UTC - sent email to LAWtrust asking for status
April 9, 2019, 12:12 UTC - sent email to LAWtrust asking for status
April 16, 2019, 12:12 UTC - sent email to LAWtrust asking for status
April 16, 2019, 12:41 UTC - LAWtrust indicated that KPMG was on site doing the audit and the results were not expected to the end of May 2019
April 16, 2019, 12:43 UTC - email sent t indicated to LAWtrust that the report was due by 31 March 2019
May 7, 2019, 22:26 UTC - received email indicating Bug 1549862 was created
May 7, 2019, 23:41 UTC - email sent to LAWtrust regarding Bug 1549862
May 8, 2019, 5:21 UTC - LAWtrust indicated that KPMG had completed the audit, but had not provided the audit report
May 10, 2019, 13:30 UTC - LAWtrust advised that the audit was complete and the report was expected in a week or two
May 10, 2019, 14:02 UTC - LAWtrust advised that there were no adverse finding in the audit
May 21, 2019, 14:10 UTC - sent email to LAWtrust asking for status
May 24, 2019, 13:28 UTC - sent email to LAWtrust asking for status
June 11, 2019, 6:41 UTC - sent email to LAWtrust asking for status
June 11, 2019, 11:03 UTC - LAWtrust provided a letter from KPMG that the audit report would be delayed to 28 June 0219
June 11, 2019, 11:21 UTC - added KPMG letter to Bug 1549862
June 28, 2019, 13:25 UTC - sent email to LAWtrust asking for status
June 29, 2019, 11:59 UTC - LAWtrust advised that the audit report is still delayed with KPMG
July 2, 2019, 14:19 UTC - email to advise LAWtrust that we are disappointed that KPMG has missed their deadline
July 2, 2019, 15:13 UTC - LAWtrust advised that they have asked KPMG to split the report, so our request could be delivered earlier
July 8, 2019, 13:42 UTC - sent email to LAWtrust advsing that the report needs to be delivered this week or we need to discuss a CA certificate revocation date
July 9, 2019, 16:31 - LAWtrust delivered the audit report

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Not applicable.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Not applicable.

  1. The complete certificate data for the problematic certificates.

Not applicable.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

We have attached an explanation from LAWtrust as to why their report was late. In addition, Entrust did not have a process in place to work with LAWtrust to make sure that they were responding to the annual compliance audit requirements and timeline.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Entrust will increase the level of project management with all third party intermediate CAs to ensure that they are up-to-date with industry requirements, are complaint and provide their audit report prior to their deadline.

This will include:

  • Providing updates on browser and CA/Browser Forum policy changes
  • Addressing compliance items
  • Ensuring CPS is updated at least once annually
  • Providing a compliance audit plan at least 4 months before the audit is due
  • Delivering compliance audit within 3 months of the end of the audit period

(In reply to Bruce Morton from comment #11)

Hi Wayne: LAWtrust has about 9 RAs which are trusted entities in South Africa. The RAs have all signed RA agreements and perform verification for their customers and partners, which receive certificates. The RAs are spot checked by LAWtrust through each audit period. The RAs are compliance audited by the LAWtrust auditor on an annual basis with the exception of the current audit period. We are still investigating, but our understanding is the RA audit was skipped due to the lateness of the audit report.

We have talked to LAWtrust about how this issue can be rectified. I am on leave until 12 August 2019, but am hoping to provide an update that week.

LAWtrust's auditor, KPMG, noted in the audit report: "We draw attention to item 4.4 in Management's Assertion above which highlights that LAWtrust does not itself maintain evidence that subscriber information is properly authenticated by the external Registration Authorities. This results in WebTrust Criterion 6.1 not being fully met. Our opinion is not modified in respect of this matter."

LAWtrust uses external constrained RA's to perform verification of the RA's customers to issue client certificates.
The RA's are trusted within South Africa and are required to sign a Registration Authority Charter. The RA's are financial institutions and the South African Revenue Services (similar to IRS in the US).

The financial institutions are registered with the Financial Services Conduct Authority (FSCA) and are by law required to conduct Know Your Customer (KYC) activities on their customers. These RA’s are constrained as they can only issue certificates to their customers to allow client authentication. The South African Revenue Services also must verify all individuals to access their services.

WebTrust Principles And Criteria For Certification Authorities Version 2.2 has a provision to address External Constrained RA's, which states: "Let’s take an example of a CA that provides CA services to several banks, and delegates the subscriber registration function to RAs that are specifically designated functional groups within each bank. Where a constrained RA relationship exists, the functions performed by these specific groups would typically be outside the scope of the WebTrust for Certification Authorities examination performed for the CA. It would also normally not require a separate RA audit."

Prior to 2018, KPMG and LAWtrust agreed that the financial institutions and the South African Revenue Services were external constrained RA's and were not audited as provided in WebTrust 2.2. In 2018, the auditor from KPMG did not dispute that the RA's were constrained, but put his note in the audit report. The auditor did not modify his audit opinion based on his note.

If the WebTrust exception for External Constrained RA's is allowed to be used, then we do not think that any other audit information is required.

It is planned that LAWtrust will work with their auditor to ensure that the RA "callout" will not be included in future audit reports.

(In reply to Bruce Morton from comment #13)

LAWtrust uses external constrained RA's to perform verification of the RA's customers to issue client certificates.

I'm not sure I understand the constraints here. Could you provide more detail? Are these technical, legal, other? You mention client identification, but it wasn't clear the implementation details of these constraints, and the distinction between 'intent' and 'technical capability'

The RA's are trusted within South Africa

By whom?

and are required to sign a Registration Authority Charter.

With whom?

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Entrust will increase the level of project management with all third party intermediate CAs to ensure that they are up-to-date with industry requirements, are complaint and provide their audit report prior to their deadline.

This will include:

  • Providing updates on browser and CA/Browser Forum policy changes
  • Addressing compliance items
  • Ensuring CPS is updated at least once annually
  • Providing a compliance audit plan at least 4 months before the audit is due
  • Delivering compliance audit within 3 months of the end of the audit period

Considering that multiple other CAs have had issues with providing timely audits for their sub-CAs, why did Entrust not have such procedures already in place, having learned from these incidents? It seems this list is still missing controls that other CAs have implemented for their subordinates, and it's not clear why that decision was made.

Could you share a bit more detail about the related Incident Reports from other CAs that Entrust has examined, and the motivations for omitting the controls other CAs have implemented?

Similarly, it seems Entrust made a unilateral decision that it was acceptable to let an unaudited entity have the unconstrained ability to issue TLS certificates, and seemed largely to take on faith the assertions of that entity for nearly four months. What's being done to address that? The described mitigations fail to actually commit to any changed behaviour. For example, is Entrust publicly committing to ensure that they immediately revoke any subordinate CA who does not provide the compliance audits within 3 months? If not, what are you committing to?

Flags: needinfo?(bruce.morton)

(In reply to Ryan Sleevi from comment #14)

(In reply to Bruce Morton from comment #13)

LAWtrust uses external constrained RA's to perform verification of the RA's customers to issue client certificates.

I'm not sure I understand the constraints here. Could you provide more detail? Are these technical, legal, other? You mention client identification, but it wasn't clear the implementation details of these constraints, and the distinction between 'intent' and 'technical capability'

Although not technical, the RA's are constrained as they can only issue certificates to their customers, where they have a Know Your Customer requirement. From the technical side, the EKUs in the cross-certificate are Client Auth and Email protection.

The RA's are trusted within South Africa

By whom?

I think there are two things to consider. LAWtrust is not using resellers, which are only in the business to sell certificates. The RA's which are being used are providing secure services, where a certificates helps to provide this service. The other item is that since the RA's are financial institutions and government organizations, they are trusted by the citizens and government.

and are required to sign a Registration Authority Charter.

With whom?

With the CA, LAWtrust.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Entrust will increase the level of project management with all third party intermediate CAs to ensure that they are up-to-date with industry requirements, are complaint and provide their audit report prior to their deadline.

This will include:

  • Providing updates on browser and CA/Browser Forum policy changes
  • Addressing compliance items
  • Ensuring CPS is updated at least once annually
  • Providing a compliance audit plan at least 4 months before the audit is due
  • Delivering compliance audit within 3 months of the end of the audit period

Considering that multiple other CAs have had issues with providing timely audits for their sub-CAs, why did Entrust not have such procedures already in place, having learned from these incidents? It seems this list is still missing controls that other CAs have implemented for their subordinates, and it's not clear why that decision was made.

Entrust has been managing third party sub-CAs for about 15 years. We have worked through managing these sub-CAs as the requirements and the audit criteria has changed over the years. We did not consider reviewing what other CA's have done to address their incidents to provide timely audits. This sounds like a good idea. I did a quick review, but my search did not provide me any benefit. Do you have any recommendations on which ones to review?

Could you share a bit more detail about the related Incident Reports from other CAs that Entrust has examined, and the motivations for omitting the controls other CAs have implemented?

As stated above, we did not review other Incident Reports to address this issue.

Similarly, it seems Entrust made a unilateral decision that it was acceptable to let an unaudited entity have the unconstrained ability to issue TLS certificates, and seemed largely to take on faith the assertions of that entity for nearly four months. What's being done to address that? The described mitigations fail to actually commit to any changed behaviour. For example, is Entrust publicly committing to ensure that they immediately revoke any subordinate CA who does not provide the compliance audits within 3 months? If not, what are you committing to?

We consider that each sub-CA audit report incident be treated on an independent basis. I am not aware of any browser or CA/Browser Forum policy on circumstances for late audit reports. If there is a policy we will respect it.

In this case we have a sub-CA which we have worked with for about 13 years. We have had no security incidents over the years. In this case, we confirmed that there was no open issue or qualification, which was slowing the issuance of the audit report. We believe that the audit started late, there was an organization change, and there was an auditor personnel change. In totality, this caused the audit to be completed late. We saw no security incident to require that the sub-CA certificate be revoked.

However, we have advised our sub-CAs that late audit reports will not be acceptable. If this is not addressed in their agreements, then the agreements will be amended. We will also ensure that we have the right to revoke a sub-CA certificate if it is deemed appropriate to resolve the issue. We think that increased project management and updated agreements will address this issue.

Flags: needinfo?(bruce.morton)

Thanks Bruce.

These responses greatly concern me, as I do not believe they answer the substance of some of the questions, and they do not help identify best practices, either for Entrust or for Lawtrust.

  1. I do not believe the question about constraints has been adequately answered. It would appear that RAs have zero constraints, technical (such as domain name) or otherwise. I'm assigning back to Bruce to answer the original question.
  2. Please provide an attached copy of the LawTrust Registration Authority Charter, along with all charters for all recognized RAs.
  3. I am deeply concerned that Entrust has not actively followed discussions of m.d.s.p., as required since April 2017. It seems Entrust has relied on its own experience, which is demonstrably deficient, rather than working to understand how the industry has changed. I am absolutely appalled at Entrust's inability to find issues like Bug 1566162 or Bug 1539296. These were trivial to find, as it simply required looking through https://wiki.mozilla.org/CA/Incident_Dashboard . Of course, if you also examined closed issues, you will find others.

While I'm appreciative that Entrust is working to ensure timely audits going forward, I'm concerned that the approach is one that does not approach with a risk-oriented mindset, and instead trusts the organizations implicitly without verification, on the basis of its past relationships.

With respect to providing the audits, Section 3.1.3, Audit Parameters, of the Mozilla CA Certificate Policy addresses this requirement. At the end of three months, both Entrust and LAWTrust are out of compliance with Mozilla Policy. As Entrust is responsible for the actions of its subordinates, Entrust is ultimately responsible.

Note that BRs 8.6 sets expectations on the communication of results. These are subordinate to, but consistent with, the Mozilla CA Certificate Policy requirements.

Flags: needinfo?(bruce.morton)

BII RA Charter

Flags: needinfo?(bruce.morton)

ABSA BIO RA Charter

LAWtrust RA Charter

Attached file Nedbank RA.pdf

Nedbank RA Charter

SARS RA Charter

Financial Intelligence Centre Act Booklet

(In reply to Ryan Sleevi from comment #16)

Thanks Bruce.

These responses greatly concern me, as I do not believe they answer the substance of some of the questions, and they do not help identify best practices, either for Entrust or for Lawtrust.

  1. I do not believe the question about constraints has been adequately answered. It would appear that RAs have zero constraints, technical (such as domain name) or otherwise. I'm assigning back to Bruce to answer the original question.

The subCA is constrained by EKU where the certificate contains Client Auth and Email Protection. The subCA certificate does not have any name constraints.

The external RA's are contractually and legally constrained. The external RA’s are all financial services providers, which s means that they have to comply with international Know Your Customer Requirements. This in turn means that they have a duty to verify the identity of each customer that they deal with. In South Africa this requirement is contained in the Financial Intelligence Centre Act (posted to bug). In terms of Schedule 1, point 6 on page 66 of 256, you will see that a bank needs to register under the act. Under part 2 of the Regulations on page 76 of 257, the financial institution is required to verify the following information of an individual, before they can take them on as a client:
 
(a) full names;
(b) date of birth;
(c) identity number;
(d) income tax registration number, if such a number has been issued to that person; and
(e) residential address.

It is therefore very clear that even outside the scope of the RA Charter, these RA’s have a duty imposed by legislation to verify the identity of their customers and are liable to large fines or even withdrawal of their licence in the case of non-compliance. As such consider that the external RS's are constrained, governed in respect of their duties by the RA Charter and obligated by legislation to verify their customers.

  1. Please provide an attached copy of the LawTrust Registration Authority Charter, along with all charters for all recognized RAs.

RA charters have been attached to the bug.

  1. I am deeply concerned that Entrust has not actively followed discussions of m.d.s.p., as required since April 2017. It seems Entrust has relied on its own experience, which is demonstrably deficient, rather than working to understand how the industry has changed. I am absolutely appalled at Entrust's inability to find issues like Bug 1566162 or Bug 1539296. These were trivial to find, as it simply required looking through https://wiki.mozilla.org/CA/Incident_Dashboard . Of course, if you also examined closed issues, you will find others.

Thank you for the referenced bugs. Bug 1539296 provides the following excellent proposal, which you also appear to also support:

  • SubCA to provide auditor engagement letter to Root CA, so scope can be reviewed prior to signing or starting the audit
  • Ensure engagement letter specifically lists the CAs [I would update this requirement to list the specific subCA certificates which must be included in the audit report.]

We also agree that this is the direction with how we should work with LAWtrust. We have already proposed the following:

  • Meet on a quarterly basis allowing two way communications where Entrust can provide information about the industry (i.e., updates from the CA/Browser Forum or from browser policy changes) and LAWtrust can provide activity updates, ask policy questions and provide audit schedule plans.
  • LAWtrust to provide deliverables throughout the year, such as, updated CPS, audit project plan including timeline, audit contract and Policy Authority minutes. We can update this to add in the audit contract prior to signing.

While I'm appreciative that Entrust is working to ensure timely audits going forward, I'm concerned that the approach is one that does not approach with a risk-oriented mindset, and instead trusts the organizations implicitly without verification, on the basis of its past relationships.

Hopefully we have addressed this concern per the above plan.

With respect to providing the audits, Section 3.1.3, Audit Parameters, of the Mozilla CA Certificate Policy addresses this requirement. At the end of three months, both Entrust and LAWTrust are out of compliance with Mozilla Policy. As Entrust is responsible for the actions of its subordinates, Entrust is ultimately responsible.

Note that BRs 8.6 sets expectations on the communication of results. These are subordinate to, but consistent with, the Mozilla CA Certificate Policy requirements.

Agreed that Entrust and LAWtrust were out of compliance to both the Mozilla policy and the BRs. We will update our process to ensure that the expectation of BR 8.6 is met, that is, if an audit report is delayed greater than 3 months, we shall provide an explanatory letter signed by the Qualified Auditor.

Wayne: Kicking this over to you, as this is certainly an issue where the WebTrust requirements are objectively weaker with respect to the BRs in terms of "Enterprise constrained". It would certainly seem that, on the basis of the information provided, the auditor was correct in drawing attention to these matters, because the arguments about the constraints here are and remain concerning. As this doesn't have the TLS EKU, I leave you to make the final call here.

Flags: needinfo?(wthayer)

My remaining question (apologies if this was already answered) here is in regard to the auditor's comment:

"We draw attention to item 4.4 in Management's Assertion above which highlights that LAWtrust does not itself maintain evidence that subscriber information is properly authenticated by the external Registration Authorities. This results in WebTrust Criterion 6.1 not being fully met. Our opinion is not modified in respect of this matter."

Typically, I would expect that type of comment to become a qualification next year if not remediated. What, if anything, does LAWtrust plan to do to remediate this finding?

Flags: needinfo?(wthayer) → needinfo?(bruce.morton)
Whiteboard: [ca-compliance] - Next Update - 16-August 2019 → [ca-compliance]

(In reply to Wayne Thayer [:wayne] from comment #26)

My remaining question (apologies if this was already answered) here is in regard to the auditor's comment:

"We draw attention to item 4.4 in Management's Assertion above which highlights that LAWtrust does not itself maintain evidence that subscriber information is properly authenticated by the external Registration Authorities. This results in WebTrust Criterion 6.1 not being fully met. Our opinion is not modified in respect of this matter."

Typically, I would expect that type of comment to become a qualification next year if not remediated. What, if anything, does LAWtrust plan to do to remediate this finding?

LAWtrust is meeting with their auditors next week and will address this issue on the agenda.

Flags: needinfo?(bruce.morton)

To close this out, LAWtrust is working with their auditors to ensure that WebTrust exception will be permitted and the constrained RAs will fall outside the scope of the WebTrust audit. If the exception is not permitted, then all constrained RAs will be audited. In either case, we expect a positive response in the annual compliance audit report with respect to the constrained RAs.

I'm confused here. Comment #27 said it would be "next week", which was on 2019-09-11. The update provided in Comment #28 says it's still unresolved.

It's also unclear what is meant by the "WebTrust exception", and I think that raises concerns about the supervision, activities, and trustworthiness of the information validated by these entities.

There hasn't been any demonstration of technical remediation of the concerns (e.g. the EKU) matter, so I don't see how the plan provided in Comment #28 could close out this issue, as noted back in Comment #16. If anything, this seems like it would provide less assurance, rather than more, which is... definitely not progress in the right direction :)

Flags: needinfo?(bruce.morton)

Bruce: I set Needs-Info. Please make sure to provide weekly progress updates, unless otherwise acknowledged, as noted at https://wiki.mozilla.org/CA/Responding_To_An_Incident

and in no circumstances should a question linger without a response for more than one week, even if the response is only to acknowledge the question and provide a later date when an answer will be delivered. You should also provide updates at least every week giving your progress, and confirm when the remediation steps have been completed - unless Mozilla representatives agree to a different schedule by setting a “Next Update” date in the “Whiteboard” field of the bug.

It's important that those updates provide meaningful insight into how Entrust is resolving this issue.

(In reply to Ryan Sleevi from comment #29)

I'm confused here. Comment #27 said it would be "next week", which was on 2019-09-11. The update provided in Comment #28 says it's still unresolved.

It's also unclear what is meant by the "WebTrust exception", and I think that raises concerns about the supervision, activities, and trustworthiness of the information validated by these entities.

There hasn't been any demonstration of technical remediation of the concerns (e.g. the EKU) matter, so I don't see how the plan provided in Comment #28 could close out this issue, as noted back in Comment #16. If anything, this seems like it would provide less assurance, rather than more, which is... definitely not progress in the right direction :)

Hi Ryan:

Per comment 25, I thought that we have addressed all of your concerns and you passed this to Wayne.
Per comment 26, Wayne indicated that he wanted the comment about the external Registration Authorities to be addressed.
Per comment 27, I stated that LAWtrust would be talking to their auditors to resolve the issue. The plan was for the auditors to grant the exception as indicated in comment 13. However, since LAWtrust is changing auditors, they were delayed in confirming the agreement to the exception. I do apologize that I did not provide a weekly update that we had not made any progress.
Comment 28 was based on my reaching out to LAWtrust and stating that they must either have the exception approved by their auditor or have the RAs audited. They agreed to these options. As such, I thought that I had addressed Wayne's request from comment 26.

Thanks, Bruce.

Flags: needinfo?(bruce.morton)

(In reply to Ryan Sleevi from comment #30)

Bruce: I set Needs-Info. Please make sure to provide weekly progress updates, unless otherwise acknowledged, as noted at https://wiki.mozilla.org/CA/Responding_To_An_Incident

and in no circumstances should a question linger without a response for more than one week, even if the response is only to acknowledge the question and provide a later date when an answer will be delivered. You should also provide updates at least every week giving your progress, and confirm when the remediation steps have been completed - unless Mozilla representatives agree to a different schedule by setting a “Next Update” date in the “Whiteboard” field of the bug.

It's important that those updates provide meaningful insight into how Entrust is resolving this issue.

Agreed, I will plan to update this and future Incident Reports on a weekly basis, unless we have provided a date when we plan to provide the next update.

(In reply to Bruce Morton from comment #31)

Comment 28 was based on my reaching out to LAWtrust and stating that they must either have the exception approved by their auditor or have the RAs audited. They agreed to these options. As such, I thought that I had addressed Wayne's request from comment 26.

Comment 28 reads that LAWtrust has promised to fix it "somehow". I'd still like to know how they plan to obtain a clean audit next year, and I would think that Entrust would also be very interested in that information.

(In reply to Wayne Thayer [:wayne] from comment #33)

(In reply to Bruce Morton from comment #31)

Comment 28 was based on my reaching out to LAWtrust and stating that they must either have the exception approved by their auditor or have the RAs audited. They agreed to these options. As such, I thought that I had addressed Wayne's request from comment 26.

Comment 28 reads that LAWtrust has promised to fix it "somehow". I'd still like to know how they plan to obtain a clean audit next year, and I would think that Entrust would also be very interested in that information.

Hi Wayne, I have worked with LAWtrust to address the following 2 items:

  1. Late Audit Report - Entrust will increase our project management to ensure that LAWtrust has an auditor and audit plan to deliver the audit report on time. This will include reviewing the auditor engagement, confirming the scope, confirming the CAs to be audited and agreeing to the delivery date. This is similar to the plan Bug 1539296. In the event that the audit report is late, Entrust will require a letter from the auditor per BR 8.6 as stated in comment 24.
  2. RA Data - LAWtrust has two choices: a) Work with the auditor to ensure that the constrained RAs do not need to be audited per the WebTrust exception OR b) Audit the constrained RAs. In either case, we believe that the "We draw attention …” note will not be included in the 2020 audit report and the audit will be clean.
Flags: needinfo?(wthayer)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [audit-failure]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: