1741497 - CFCA: Overdue Audit Statements 2021

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Kathleen Wilson]

Audit Statements are past due for the following root certificate:

CN=CFCA EV ROOT; O=China Financial Certification Authority; C=CN
Certificate Serial Number: 184ACCD6
SHA-1 Fingerprint: E2B8294B5584AB6B58C290466CAC3FB8398F8483
SHA-256 Fingerprint: 5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD

Here is the audit statement information we currently have for these root certificates.
Standard Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=244653
Standard Audit Period End Date: 2020-07-31
BR Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=244654
BR Audit Period End Date: 2020-07-31
EV Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=244655
EV Audit Period End Date: 2020-07-31

Please provide your annual updates via the Common CA Database (CCADB), as described here: https://ccadb.org/cas/updates

Comment 1

[Oliver Bi]

Hi, Kathleen:

Our audit work has been completed，the Management's assertion reports has been signed. However, the auditor reported they are "out of contact" with CPA Canada, this is why we have not get the new reports yet, we are trying solve it, our auditor is communicating with CPA, I think there will be some developments in the next few days. We will upload the official reports to CCADB when we get it.

Comment 2

[Oliver Bi]

Attachment: CFCA_Letter for Report Issuance_20211221.pdf

Comment 3

[Oliver Bi]

The audit reports has not been signed, our auditor give an LETTER FOR ISSUANCE OF REPORTS, we will upload the official reports to CCADB when we get it.

Comment 4

[Ben Wilson]

Can you upload any PDFs of the audit reports here to this bug, and then populate a new CCADB audit case with the information that needs to be submitted annually? See information in links here: https://wiki.mozilla.org/CA/Audit_Statements#Root_Certificates
Let me know if you need further instruction on how this needs to be done.

Comment 5

[Oliver Bi]

Attachment: CFCA_WTCA_SealFile_20211202.pdf

Comment 6

[Oliver Bi]

Attachment: CFCA_WTCAEVSSL_SealFile_20211202.pdf

Comment 7

[Oliver Bi]

Attachment: CFCA_WTCASSLBR_SealFile_20211202.pdf

Comment 8

[Oliver Bi]

I have uploaded the new audit reports, due to some uncertain reasons, we have not get the Audit statement links from CPA Canada, this causes we can't updated the information on CCADB, I'm not sure if we can update it after we get the links?

Comment 9

[Ben Wilson]

Hi Oliver,
Do you have any updates for this matter? Will you be obtaining the seals now that CPA Canada has begun issuing them again for Chinese CAs?
Thanks,
Ben

Comment 10

[Oliver Bi]

(In reply to Ben Wilson from comment #9)

Hi Oliver,
Do you have any updates for this matter? Will you be obtaining the seals now that CPA Canada has begun issuing them again for Chinese CAs?
Thanks,
Ben

Hi Ben,

We have been communicating with our auditor in recent months, the good news is CPA Canada has begun issuing seals again for Chinese CAs.
Our auditor is helping us obtaining the seals, the latest news is due to some changes of CPA Canada, they need update the report format, our auditor will submit the application again within this week, the seals will normally be collected two days after submitting the application. I guess the seals can be obtained around June 10th.

I'll update the information as soon as I get the seals.

Thanks
Oliver Bi

Comment 11

[bixinlong]

(In reply to Ben Wilson from comment #9)

Hi Oliver,
Do you have any updates for this matter? Will you be obtaining the seals now that CPA Canada has begun issuing them again for Chinese CAs?
Thanks,
Ben

There is a good news that we got the audit links from CPA Canada today. Thanks for you help.

The Standard Audit link is https://www.cpacanada.ca/webtrustseal?sealid=10936
The BR Audit link is https://www.cpacanada.ca/webtrustseal?sealid=10937
The EV SSL Audit link is https://www.cpacanada.ca/webtrustseal?sealid=10938

I tried to update these information in CCADB, but it has some error like 'Data has been verified, You cannot modify Standard Audit fields.'

I'm not sure if we need update this in CCADB

Comment 12

[Ben Wilson]

Those records were "locked" - I can unlock them and update the information in the CCADB.

Comment 13

[Ben Wilson]

Have you reported CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC) in the CCADB? You are supposed to do that within 7 days of CA creation. It's an incident when that doesn't happen.

Comment 14

[bixinlong]

(In reply to Ben Wilson from comment #13)

Have you reported CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC) in the CCADB? You are supposed to do that within 7 days of CA creation. It's an incident when that doesn't happen.

Hi Ben,

I have reported this information in CCADB today, maybe i misunderstood the rules incorrectly.

We will not conduct unauthorized business without any notice, so we have not issuing any DV SSL certificates after the root is created.

I will submit an incident report.

Comment 15

[bixinlong]

(In reply to Ben Wilson from comment #13)

Have you reported CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC) in the CCADB? You are supposed to do that within 7 days of CA creation. It's an incident when that doesn't happen.

1. Problem Report:
   CFCA have not report CFCA DV OCA information in CCADB timely.

2. Timeline:
   June 17, 2022: Ben Wilson asks whether reported CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC) in the CCADB.
   June 19, 2022: CFCA received this message and reported CFCA DV OCA in the CCADB on June 19.

3. Statement
   CFCA have reported CFCA DV OCA.

4. Summary
   CFCA has reported CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC) in the CCADB. We didn’t issue any certificates after the intermediate certificate was created, this has not affected any institutions or individuals.

5. Explanation:
   We misunderstood the rules, I mistakenly thought that we need report after we getting the audit report and before formally issuing certificate. We will never conduct unauthorized business without any information release, so CFCA has not issued any certificates after the root was created.

6. Steps:
   We will add some relevant information or procedures as required.

Comment 16

[Matthias]

(In reply to bixinlong from comment #15)

(In reply to Ben Wilson from comment #13)

Have you reported CFCA DV OCA (SHA2 = B8BE2649AA518E943BF0FD1E34A240443E46E79EA7B562E09FCC830AC7D2F3FC) in the CCADB? You are supposed to do that within 7 days of CA creation. It's an incident when that doesn't happen.

1. Problem Report:
   CFCA have not report CFCA DV OCA information in CCADB timely.

Could you create a separate bug for this issue using the incident reporting guidelines of [0]? Not reporting a new intermediate CA is not the same as an overdue audit statement, and thus requires separate tracking.

[0] https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report

Comment 17

[Ben Wilson]

Has a new, separate incident report been filed, as requested by Matthias?

Comment 18

[bixinlong]

(In reply to Ben Wilson from comment #17)

Has a new, separate incident report been filed, as requested by Matthias?

I seem to missed this, I have created a new report as requested by Matthias

https://bugzilla.mozilla.org/show_bug.cgi?id=1784820

Comment 19

[Ben Wilson]

I am going to close this on or about next Wednesday, 1-Mar-2023, unless there are reasons to keep it open. The most recent audit on file is dated 10/24/2022, which was filed within 90 days of the close of the audit period (7/31/2022). For future audit updating in the CCADB, there are instructions available through https://www.ccadb.org/cas/updates.