Closed
Bug 835538
Opened 11 years ago
Closed 11 years ago
TURKTRUST audit regarding change management procedures and controls
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
Attachments
(1 file)
1.16 MB,
application/pdf
|
Details |
This bug is in response to the mistakes that were found in two certificates that were issued by TURKTRUST; bug #825022, and https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/ TURKTRUST has stated that they have made improvements to their change management procedures and controls so that this type of mistake will not be repeated. This bug requests that TURKTRUST have an extra audit performed to review their change management procedures and documentation, and provide a statement from the auditor to confirm that measures have been put into place that will prevent this type of mis-issuance in the future.
Assignee | ||
Updated•11 years ago
|
Comment 1•11 years ago
|
||
Our “special audit” with a scope of change management, internal audit management and incident management procedures of TURKTRUST was performed today by the BSI auditor as planned. The audit report and the public audit statement regarding this special audit will be ready in a couple of days.
Comment 2•11 years ago
|
||
Do you know when the audit will be available? One month ago, you said it would be ready in a couple of days.
Assignee | ||
Comment 3•11 years ago
|
||
(In reply to Christopher Soghoian from comment #2) > Do you know when the audit will be available? One month ago, you said it > would be ready in a couple of days. I received an audit statement regarding this special audit. The letter (dated February 19, 2013) stated that the audit had been performed in January 2013 with the objective to confirm that changes had been made and to verify specific control measures including change/release management, emergency software change management, incident management, internal audit management, corrective and preventative action management, etc. Unfortunately, the audit statement included a clause that prevented me from attaching it to this bug. Mozilla CA policy and practice is to rely on documentation and audit statements that are publicly available. Therefore, I asked the TurkTrust representatives to work with the auditor to create a new statement that I could attach to this bug.
Assignee | ||
Comment 4•11 years ago
|
||
Assignee | ||
Comment 5•11 years ago
|
||
I have exchanged email with a representative of BSI who has confirmed that BSI issued the audit letter that is attached to this bug.
Assignee | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•