Thank your for raising this issue.
As documented in the bug you referenced, there was a good deal of confusion
about Mozilla's acceptance (or not) of SwissSign's 2017 audit statements.
Mozilla rejected the first statements and then asked questions about the
second set of statements but never clearly rejected them.
A verbal agreement was reached that SwissSign would obtain new audits, but
it resulted in only one of their 3 included roots being re-audited later in
2017. Given the lack of documentation, I am willing to accept that as a
misunderstanding of scope between Mozilla and SwissSign. The result is that
we have 2017 audit statements in CCADB that are marked as having been
accepted despite the significant concerns that were raised in the bug you
I believe the fact that the audit period extended for more than a year was
caused by SwissSign's (understandable) decision to use a different auditor
this year. However, I agree that this is a problem because it directly
contradicts BR section 8.1 which states "An audit period MUST NOT exceed
one year in duration" and Mozilla's requirement that "Full-surveillance
period-of-time audits MUST be conducted and updated audit information
provided no less frequently than annually". I believe these new audit
statements (both for the Platinum and Silver roots) should be rejected on
that basis, and I would also welcome a response from SwissSign and/or their
auditors. In addition, Kathleen is researching why this was not flagged by
CCADB when the audit cases were processed.
When choosing to switch auditors for 2018, SwissSign asked Mozilla to
permit them to use TUV Austria prior to the firm's formal eIDAS
accreditation. Given that the individuals performing the audits were
well-known as auditors for TUV Germany who moved to the Austrian entity,
Mozilla agreed to this exception as permitted under Root Store Policy
section 3.2. TUV Austria has since informed us that they have received
Finally, the audit submitted for the (not yet included) SwissSign Silver G3
root is point-in-time, and thus not acceptable as documented in
I have discussed
this with SwissSign's auditors, and their belief was that a point-in-time
report is appropriate when no certificates have been issued from a root
during the period. I do not agree with this interpretation and plan to have
further discussions with ETSI folks on this topic (WebTrust has already
confirmed that it is possible report on a root over a period-of-time even
when no issuance has occurred). Meanwhile, I believe that TUV Austria may
reissue the reports for this root as period-of-time since the audits
themselves covered the entire period.
On Wed, Aug 22, 2018 at 1:32 AM Kurt Roeckx via dev-security-policy <
> On 2018-08-21 21:03, Kathleen Wilson wrote:
> Is this not properly marked in the database?
> I found https://bugzilla.mozilla.org/show_bug.cgi?id=1374381
> seems to be related to it, and was closed.
> The linked audits there:
> - For one claiming the period covering 2015: The statement does not
> state which period was covered.
> - For one claiming the period covering 2016: The statement does not
> state which period was covered. A previous report from the auditor for
> that period stated that it was a point in time audit.
> The changed report removed this sentence: "KPMG has performed a point in
> time audit. The reference date is 8 March 2017." and replaced
> "We were not engaged to and did not conduct an examination, the object
> of which would be the expression of an opinion on the Application for
> Extended Validation (EV) Certificate. Accordingly, we do not express
> such an opinion. Had we performed additional procedures, other matters
> might have come to our attention that would have been reported to you"
> "KPMG has assessed the architecture, operation and procedures on a
> sample approach although we have not assessed every configuration
> setting on technical devices."
> - The report from a new auditor covered the period: March, 9th 2017
> until June, 6th 2018, which is longer than 1 year.
> dev-security-policy mailing list