You are correct, the analysis results of the audit process were missing in our response.
While analyzing the processes we investigated among other things, the question, why the faulty certificates were not revealed during the internal audits.
To find the reason here, we also reviewed the test methodology of the internal audits. It provides various elements to verify the correctness of the overall process:
The internal audits are divided into the key areas described below. These essentially refer to process conformity, documentation, retention and validity periods against its own as well as the requirements of the CA Browser Forum.
On-site inspection of external and internal order documents:
(1) Presence of customer documents
(2) Illustration of the completed order in the system
(3) Presence of an organizational confirmation e.g. Commercial register excerpt and its accuracy
(4) Correctness and readability of the order
(5) Match the order data in the system with the order data in the order.
(6) Compliance with the specified validity periods
(7) Basic logical processing errors
Furthermore, a part of this sample quantity is additionally subjected to a technical detailed examination.
Examination of the certificate content:
• Is the decoding successful (basic encoding).
• Examination of existing values
• Are the relevant certificate components present and free of errors?
The detailed inspections are carried out via a visual and manual review by the internal auditor.
It appears that the additional technical detailed tests were not carried out in a sufficient enough volume, since none of the errors described were detected during an internal audit.
One reason for this was that the goal of internal audits had so far primarily been to qualitatively maintain the validation process. The internal audit, which focuses much more on the validation process was thus prone to overlook the listed error possibilities in the certificate.
Therefore, as a measure, we decided to increase the audit scope in relation to the quantity of allowances to be tested in detail, improving the test process technically with additional comparison data, as well as to sensitize the internal auditor in regards to errors, simple typos (e.g. "t" instead of "tt" or "ttt" instead of "tt") but also content errors (e.g. "location" is not geographically in the "stateOrProvinceName") and sources of error.
We did not identify any other deficiencies in the audit process which could lead to the errors being overlooked.