Open Bug 1578505 Opened 2 months ago Updated 28 days ago

LuxTrust: Outdated audit statement for intermediate cert

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

People

(Reporter: kwilson, Assigned: ca.luxtrust)

Details

(Whiteboard: [ca-compliance] - Overdue Audit for intermediate cert)

The following intermediate cert has an outdated audit statement.

Please update its record in the CCADB with the current audit statement information as soon as possible.

https://ccadb.org/cas/intermediates

Please also provide an Incident Report for having an overdue audit statement.
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

CA Owner: LuxTrust

  • Certificate Name: LuxTrust Corporate CA
    SHA-256 Fingerprint: AE373E488DD13DEF71611D52F0B5179DD648241A381F67A80734F6615FF6E6CA
    Standard Audit Period End Date (mm/dd/yyyy): 03/30/2018
Assignee: wthayer → ca.luxtrust

This intermediate CA was audited at the same time as the other CAs. This is an omission in the attestation letter.
We have requested on September 4 to the auditor to provide us an updated attestation letter.
we will update it in the CCADB upon receipt.
To prevent this from happening again, a 4-eye verification process is in place for this type of document.

(In reply to ca from comment #2)

The updated attestation letter is available here : http://lsti-certification.fr/images/LSTI_Audit_Atttestation_Letter_11085-124_V20_Luxtrust.pdf

I confirm that the audit attestation letter has been added to the record in the CCADB, and that Audit Letter Validation (ALV) passes (with the exception of the audit date being over 3 months after the audit period end date due to the audit statement being re-issued). So I was about to close this bug as resolved, but decided to check the other intermediate certs...

The following intermediate cert is said to have "Audits Same as Parent", but ALV does not find it in the parent's audit statement, and I don't find it either.

Subject: CN=LuxTrust Global Qualified CA 3; O=LuxTrust S.A.; C=LU
Issuer: CN=LuxTrust Global Root 2; O=LuxTrust S.A.; C=LU
SHA-256 Fingerprint: BED0F19ED46D94900D2A9FCD7C6F660B61FF7588D8B71CF8F279D5FAA3021CCF

Please resolve and also provide an Incident Report about these intermediate certs not being in audit attestation letters:

https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

You need to log in before you can comment on or make changes to this bug.