Closed Bug 835538 Opened 7 years ago Closed 7 years ago

TURKTRUST audit regarding change management procedures and controls

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: kwilson)

References

Details

Attachments

(1 file)

This bug is in response to the mistakes that were found in two certificates that were issued by TURKTRUST; bug #825022, and https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/

TURKTRUST has stated that they have made improvements to their change management procedures and controls so that this type of mistake will not be repeated.

This bug requests that TURKTRUST have an extra audit performed to review their change management procedures and documentation, and provide a statement from the auditor to confirm that measures have been put into place that will prevent this type of mis-issuance in the future.
Blocks: 433845, 768547
Status: NEW → ASSIGNED
Our “special audit” with a scope of change management, internal audit management and incident management procedures of TURKTRUST was performed today by the BSI auditor as planned. The audit report and the public audit statement regarding this special audit will be ready in a couple of days.
Do you know when the audit will be available? One month ago, you said it would be ready in a couple of days.
(In reply to Christopher Soghoian from comment #2)
> Do you know when the audit will be available? One month ago, you said it
> would be ready in a couple of days.

I received an audit statement regarding this special audit. The letter (dated February 19, 2013) stated that the audit had been performed in January 2013 with the objective to confirm that changes had been made and to verify specific control measures including change/release management, emergency software change management, incident management, internal audit management, corrective and preventative action management, etc. 

Unfortunately, the audit statement included a clause that prevented me from attaching it to this bug. Mozilla CA policy and practice is to rely on documentation and audit statements that are publicly available.

Therefore, I asked the TurkTrust representatives to work with the auditor to create a new statement that I could attach to this bug.
I have exchanged email with a representative of BSI who has confirmed that BSI issued the audit letter that is attached to this bug.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.