1669518 - PKIoverheid: Overdue audit statements for intermediate certificates

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Kathleen Wilson]

Audit statements are past-due for the following intermediate certificates.
Please see: https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay

CA Owner: Government of The Netherlands, PKIoverheid (Logius)

• Certificate Name: QuoVadis PKIoverheid Organisatie Server CA - G3
  SHA-256 Fingerprint: CE2332390208742A1ACA6513974C4C9DB2691EAF4568B533E4A17ED5DDA973E6
  Standard Audit Period End Date (mm/dd/yyyy): 05/31/2019
  BR Audit Period End Date (mm/dd/yyyy): 05/31/2019

• Certificate Name: QuoVadis PKIoverheid Server CA 2020
  SHA-256 Fingerprint: EB2C2A806C69FC963C4E24A5BBEA20ED4E3B86AE798730BB4EEA51BF9DE33325
  Standard Audit Period End Date (mm/dd/yyyy): 05/31/2019
  BR Audit Period End Date (mm/dd/yyyy): 05/31/2019

• Certificate Name: QuoVadis PKIoverheid Organisatie Persoon CA - G3
  SHA-256 Fingerprint: 15073C6BBDC74699A88518C27A57C956E5E23D6CA9619E521A468C7873DE4F8A
  Standard Audit Period End Date (mm/dd/yyyy): 05/31/2019

• Certificate Name: QuoVadis PKIoverheid Organisatie Services CA - G3
  SHA-256 Fingerprint: BECFDE124CEDD344D925CB55EDDA662D9A9C0688FA9A0870CE3DBB6DA4313E4E
  Standard Audit Period End Date (mm/dd/yyyy): 05/31/2019

• Certificate Name: QuoVadis PKIoverheid Organisatie Server CA - G3
  SHA-256 Fingerprint: 85363A24CB1B66E6CF6244E87D243DBB8306F607357C614CB9C4C224A0E04358
  Standard Audit Period End Date (mm/dd/yyyy): 05/31/2019
  BR Audit Period End Date (mm/dd/yyyy): 05/31/2019

Comment 1

[David Weissenberg]

Hello Kathleen,

In September we received the following statement from QuoVadis concerning the outdated audit statements and shared this with you:

"The ETSI audit of the PKIoverheid CAs operated by QuoVadis is well advanced, but has been delayed by several factors including COVID restrictions and additional work required as part of the OCSPSigning EKU bug.
A delayed visit by the auditors is now scheduled for the second week of September and we expect the report following that visit."

In the meantime the audit statements were signed by the auditor on October 6. We filed these audit statements in CCADB on October 12.

If any additional information is required please let us know.

Comment 2

[Kathleen Wilson]

Hi David,

The audit statement that you provided for those certs is:
https://www.quovadisglobal.com/wp-content/uploads/2020/10/Ecertificate-ETS-030.pdf

When I click on the 'Audit Letter Validation (ALV)' button it fails with this error:
Downloading Audit Letter failed with exception: The server committed a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF

Would you please have that fixed so that ALV can run on these records in the CCADB?

Comment 3

[Ryan Sleevi]

Is there any update here?

Comment 4

[David Weissenberg]

QuoVadis will be posting an updated document at the link Kathleen mentioned shortly which will fix the issue.
When the updated document is posted we will update this bug again.

Comment 5

[Ben Wilson]

"Potentially" resolved with submission of https://bugzilla.mozilla.org/attachment.cgi?id=9198675. I'll have to look at this more closely. Also, I think that according to Mozilla policy, we require that the auditor explain the delay in providing the audit letter.

Comment 6

[Ben Wilson]

When I try to run the ALV process, I still get the following error: "Downloading Audit Letter failed with exception: The server committed a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF".
We should have a call about this and also work with BSI to see where a better version of the PDF is stored on their website.
I also have a question about the places in the audit letter where it says, "(not in scope)".

Comment 7

[Stephen Davidson]

PDF files of the reports are now accessible through the BSI VerifEye directory. The direct link is at https://verifeyedir.blob.core.windows.net/pas7000docs/qv_hol-0047309378-000/ecertificate_-_ets_030.pdf

More at https://verifeyedirectory.bsigroup.com/Profile/QV_HOL-0047309378-000

Comment 8

[David Weissenberg]

Hi Ben,

Hereby you receive a quick response to clarify from our side. We have had contact with the auditor and they gave us some input that answers the questions raised:

---

1. BSI assumes that ALV process for BSI audit reports now is functioning correctly (after adding auditor information in the body of the document (instead of in the document footer).

2. PDF files of the reports are now accessible through the BSI VerifEye directory. This is a central facility for all BSI certificates (not only ETSI) and (specifically for ETSI customers) this has been modified to also include the PDF-file of the ETSI-conformity certificate. Adding the PDF to VerifEye is the most practical solution for BSI and fits BSI internal processes.

3. BSI conformity certificates mention “Not In Scope” in the certificate hierarchy, where the Staat der Nederlanden Root and Domain CAs are mentioned. These are out-of-scope for our audit as these Root and Intermediate CAs are part of the Central Infrastructure PKIoverheid and these are not governed by QuoVadis (nor by any other Trust Service Provider within PKIoverheid). These CAs are subject to an audit that is contracted separately, by its owner Logius.

---

Some additional information from our side:
We have filed the link to the PDF file (mentioned by Stephen in c7) to CCADB. In this way we can test if ALV is working correctly with the new BSI format as mentioned by the auditor in point 1.

Concerning point 3 the Staat der Nederlanden Root and Domain CAs have been audited under the Webtrust regime and have been filed in CCADB separately by Logius.

If any additional information is required please let us know.

Comment 9

[Ben Wilson]

Thanks for the clarifications. I was also able to run the ALV process. I'll close this case.