Closed Bug 1566586 Opened 5 years ago Closed 5 years ago

Asseco DS / Certum: Overdue Audit Statements 2019

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: wtrapczynski)

Details

(Whiteboard: [ca-compliance] [audit-failure])

Attachments

(5 files)

EY statement_19_07_2019.pdf
43.36 KB, application/pdf
Details
ADS - Independent Assurance Report SSL-EV_2019.pdf
702.22 KB, application/pdf
Details
ADS - Independent Assurance Report CS EV_2019.pdf
519.46 KB, application/pdf
Details
ADS - Independent Assurance Report NQ_2019.pdf
820.91 KB, application/pdf
Details
ADS - Independent Assurance Report SSL_2019.pdf
803.42 KB, application/pdf
Details

Audit statements are overdue for the following root certs.

CA Owner: Asseco Data Systems S.A. (previously Unizeto Certum)
Root Certificates:
Certum Trusted Network CA 2
Certum CA
Certum Trusted Network CA
Standard Audit: https://bug1286477.bmoattachments.org/attachment.cgi?id=9001516
Standard Audit Period End Date: 2018-03-26
BR Audit: https://bug1286477.bmoattachments.org/attachment.cgi?id=9001514
BR Audit Period End Date: 2018-03-26
EV Audit: https://bug1286477.bmoattachments.org/attachment.cgi?id=9001515
EV Audit Period End Date: 2018-03-26

Assignee: wthayer → wtrapczynski

Certum had audit in this year from 04 march to 8 march. Audit was carried out by Ernst and Young Poland as in previous years. Audit covered period March 27, 2018 to 04 March, 2019 and included all Certum root certificates. Now we are during signing the Statement of Management, and we will update CCADB as soon as possible.

Aleksandra: Thank you for the update.

Unless I'm mistaken, the period of time from 2019-03-08 to today, 2019-07-17, is over 4 months. The Baseline Requirements, Section 8.6, notes that

the CA SHOULD make its Audit Report publicly available no later than three months after the end of the audit period. In the event of a delay greater than three months, and if so requested by an Application Software Supplier, the CA SHALL provide an explanatory letter signed by the Qualified Auditor.

Please consider this a formal request for such an explanatory letter, signed by E&Y Poland, that explains the reasoning for the delays. Similarly, please inform E&Y Poland about this bug, so that they may also communicate on or engage with this bug. Auditors that have demonstrated patterns of delays in producing reports have had their own issues opened against them, so it is very important for us to understand the nature and cause of the delay, and the steps that both Asseco/Certum and E&Y Poland are taking to ensure that future reports are not delayed.

Flags: needinfo?(aleksandra.kapinos)
Status: NEW → ASSIGNED

I attach Ernst and Young Poland statement. From the Certum side I assure that we sent all the documents and evidence that auditors wanted, as soon as we received the information about them. We told EY Poland also that they can write a comment at this bug.

Flags: needinfo?(aleksandra.kapinos)

Aleksandra: Thanks. To clarify, right now it sounds like E&Y Poland is ascribing the delay to Asseco/Certum. Perhaps if you could provide a timeline of events and exchanges, that would help understand the delay. For example, if it was E&Y Poland realizing that they hadn't asked for necessary documents, rather than Asseco/Certum not providing them, hopefully the timeline will help illustrate this.

Thanks for your understanding!

Flags: needinfo?(aleksandra.kapinos)

Timeline of documents exchanges beetween Certum and E&Y Poland after audit:

2019-03-04-08 – Audit
2019-03-29 – additional question about Validation Specialist, we answered 29.03
2019-04-02 – additional question about one of the audit issue, we answered 02.04
2019-04-02 – we received audit closure report
2019-04-05– additional question about EV verification, we answered 05.04
2019-04-18 – additional questions about key-life-cycle, we answered 30.04
2019-04-26 – additional question about CPS and cryptography, we answered 30.04 and 06.05
2019-05-08 – additional question about CP, keys, renewal and information about certificates expiration, we answered 09.05 and 14.05
2019-05-15 – additional question about one of the audit issue, we answered 23.05
2019-05-15 – request to prepare a remediation plan, we sent it 23.05
2019-06-03 - additional question about one of the audit issue, we answered 03.06 and 10.06
2019-06-19 - request to prepare a compensation mechanisms, we answered 19.06
2019-07-02 – we received information about we have pass an audit.

I hope this timeline illustrate that Certum cooperated well with auditors.

Flags: needinfo?(aleksandra.kapinos)

Thanks Aleksandra.

Wayne, I think you might be better placed for next steps here. Comment #3 has a statement from E&Y Poland, and Comment #5 has the timeline from Asseco/Certum's point of view. I don't want to discourage auditor rigor in investigation, and it does sound like that was a factor for it, but I'm also not sure that we've got a clear plan to prevent future delays. Do you have a sense for what information you'd want?

Flags: needinfo?(wthayer)

While it is worth tracking patterns of problematic auditor behavior, we don't seem to have clear evidence one way or the other in this case. Regardless of that, it is ultimately the CA's responsibility that audits are delivered on time. I want to know two things:

  • when will these audit reports be delivered to Mozilla?
  • what will Certum do to ensure that this doesn't happen again next year?
Flags: needinfo?(wthayer) → needinfo?(aleksandra.kapinos)

(In reply to Wayne Thayer [:wayne] from comment #7)

While it is worth tracking patterns of problematic auditor behavior, we don't seem to have clear evidence one way or the other in this case. Regardless of that, it is ultimately the CA's responsibility that audits are delivered on time. I want to know two things:

  • when will these audit reports be delivered to Mozilla?

From information from our auditor Aneta Dobruk-Serkowska it follows that the report is ready and waiting for the approval of the main auditor who is currently on vacation. We expect to end this as soon as possbile when he return.

  • what will Certum do to ensure that this doesn't happen again next year?

In september, we planned meeting with E & Y representatives on which we will summarize the various stages of this year's audit and ask auditors to present a recovery plan on issues that have slowed the timely completion of this year's audit. If the E&Y representatives will not cooperatives in this regard, we will considering the change of auditors next year. Details of the meeting and findings, we can provided in the end of september.

Flags: needinfo?(aleksandra.kapinos)

(In reply to Aleksandra Kapinos from comment #8)

(In reply to Wayne Thayer [:wayne] from comment #7)

While it is worth tracking patterns of problematic auditor behavior, we don't seem to have clear evidence one way or the other in this case. Regardless of that, it is ultimately the CA's responsibility that audits are delivered on time. I want to know two things:

  • when will these audit reports be delivered to Mozilla?

From information from our auditor Aneta Dobruk-Serkowska it follows that the report is ready and waiting for the approval of the main auditor who is currently on vacation. We expect to end this as soon as possbile when he return.

One person's vacation is not a good excuse for further delays. Since no specific date is has been given, please provide weekly updates in this bug until the audit report has been delivered to Mozilla.

Whiteboard: [ca-compliance] Overdue Audits for root certs → [ca-compliance] - Next Update - 01-August 2019

We asked our auditors for an update today and we received information that report documents are still under review. We will update this bug next week or earlier when we will have new information.

Today we received from auditors accepted reports. Tomorrow we will sign them and send to E&Y Poland.

(In reply to Aleksandra Kapinos from comment #11)

Today we received from auditors accepted reports. Tomorrow we will sign them and send to E&Y Poland.

Please file an Audit Case in the CCADB.
https://www.ccadb.org/cas/updates

We are waiting for publication. We will update CCADB as soon as possible when we get information from EY Poland.

Hello,

I attached the current audit reports for Asseco Data Systems/Certum CA.

ADS - Independent Assurance Report CS EV_2019.pdf
ADS - Independent Assurance Report NQ_2019.pdf
ADS - Independent Assurance Report SSL_2019.pdf
ADS - Independent Assurance Report SSL-EV_2019.pdf

I have finished processing the Audit Case for the Asseco Data Systems 2019 audit statements, so I will close this bug as resolved.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Whiteboard: [ca-compliance] - Next Update - 01-August 2019 → [ca-compliance] Overdue Audits for root certs
Summary: Asseco/Certum: Overdue Audit Statements 2019 → Asseco DS / Certum: Overdue Audit Statements 2019
Product: NSS → CA Program
Whiteboard: [ca-compliance] Overdue Audits for root certs → [ca-compliance] [audit-failure]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: