Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
AC Camerfirma's CP & CPS disclosure
411 views
Skip to first unread message
mart...@camerfirma.com
Aug 29, 2018, 6:13:17 AM8/29/18
to mozilla-dev-s...@lists.mozilla.org
1.
We've been required by our auditors in their WebTrust Principles and Criteria for Certification Authorities v2.0 & Extended Validation SSL v1.6 Qualified Audits Reports of a series of changes that we must make in our CP & CPS
W4CA https://bugzilla.mozilla.org/attachment.cgi?id=8995928
WEV https://bugzilla.mozilla.org/attachment.cgi?id=8995931
2.
2018-07-14 -> Qualified Audit Report
2018-09-17 -> CPS & CP's new versions will be disclosed
6.
The management of the versions and changes on the CPS & CP was incorrect under the auditor's criteria since Camerfirma has always considered that the CPS prevailed over the specific PCs and that the update of the CPS would be sufficient.
Changes related to the self-assessment of at least 3% of the certificates issued are also incorporated.
7.
We've worked on correcting these imbalances by incorporating the auditor's criteria into our procedures and the result will be the new versions that will be published 2018-09-17.
We've been required by our auditors in their WebTrust Principles and Criteria for Certification Authorities v2.0 & Extended Validation SSL v1.6 Qualified Audits Reports of a series of changes that we must make in our CP & CPS
W4CA https://bugzilla.mozilla.org/attachment.cgi?id=8995928
WEV https://bugzilla.mozilla.org/attachment.cgi?id=8995931
2.
2018-07-14 -> Qualified Audit Report
2018-09-17 -> CPS & CP's new versions will be disclosed
6.
The management of the versions and changes on the CPS & CP was incorrect under the auditor's criteria since Camerfirma has always considered that the CPS prevailed over the specific PCs and that the update of the CPS would be sufficient.
Changes related to the self-assessment of at least 3% of the certificates issued are also incorporated.
7.
We've worked on correcting these imbalances by incorporating the auditor's criteria into our procedures and the result will be the new versions that will be published 2018-09-17.
Wayne Thayer
Aug 29, 2018, 8:21:19 PM8/29/18
to Juan Angel Martin (AC Camerfirma), mozilla-dev-security-policy
Hello Juan,
Was this message intended to be a response to the discussion of
Camerfirma's qualified audits in
https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 ? I am awaiting a full
response to comment #7 in which I requested a full remediation plan for the
issues identified by these audits.
- Wayne
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Was this message intended to be a response to the discussion of
Camerfirma's qualified audits in
https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 ? I am awaiting a full
response to comment #7 in which I requested a full remediation plan for the
issues identified by these audits.
- Wayne
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
ramiro...@gmail.com
Sep 4, 2018, 8:47:38 AM9/4/18
to mozilla-dev-s...@lists.mozilla.org
Hi Wayne here you are a response to the qualified audits. As you remarks we have include links to the previously reported bugs. We will keep you informed about the remediation process plan. Sorry for the delay as you know Juan Angel is the person in charge of this Work and is on vacation for some days.
1- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
As a result of the annual Webtrst CA BR EV AC Camerfirma has been required by our auditors by means a Qualified Audit Reports a series of changes.
W4CA-1. Some discrepancies between CPS and CP
W4CA-2. Some CPs do not disclose all topics in RFC3647
W4CA-3. Camerfirma had issued certificates with error (already reported
https://bugzilla.mozilla.org/show_bug.cgi?id=1431164).
W4CA-4. Camerfirma had not revoked certificates within the time frame in accordance with the disclosed business practices (already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977)
W4CA5. For a few certificates OCSP information was inconsistent between the OCSP and CRL service under certain circumstances.
WBR-1. No sufficient controls to ensure that the CA implements the latest version of the Baseline Requirements.
WBR-2. Camerfirma had issued certificates with errors according to the CA/B Forum requirements. (Already reported
https://bugzilla.mozilla.org/show_bug.cgi?id=1431164)
WBR-3. Investigation of Certificate Problem Reports within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
WBR-4. During our procedures, we noted that for some revocation requests the subscriber Certificates were not revoked within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
WBR-5. Not evidence self-assessments on at least a quarterly basis against a randomly selected sample of at least three percent of the Certificates issued.
WEV-1. Camerfirma had issued certificates with errors according to the CA/B Forum requirements. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1431164)
WEB-2. For a few certificates OCSP information was inconsistent between the OCSP and CRL service under certain circumstances.
WEB-3. During our procedures, we noted that for some revocation requests the subscriber Certificates were not revoked within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
WEB4. Investigation of Certificate Problem Reports within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
2- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
During the Audit process our auditors detected some differences answers form OCSP services and CRL.
We detected some problems in the Trigger system that synchronize PKI platform and the OCSP platform. We decided to perform a full check in the OCSP platform and fix the inconsistences discovered.
2018-07-14 -> Release of the Qualified Audit Report
2018-09-20 -> CP/CPS modification & clarification published (W4CA-1 W4CA-2 WBR-1 WBR-5)
2018-09-10 -> Complete DDBB OCSP/PKI/CRL reviewed and fixed (W4CA-5 WEV-2)
2018-09-17 -> technical controls and synchronization reports deployed. (W4CA-5 WEV-2)
October-2018 -> Depending on the Auditor availability PIT Audit.
3- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
CP/CPS issues are certificate are not a certificate issuing problem.
OCSP/CRL We have no found new issues in our OCSP manual controls. All certificates are correctly issued.
4- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
CP/CPS issues. Do not affect to any certificate.
OCSP/CRL issue. Certificates are issued correctly. Nevertheless we are detecting wich certificates could have been affected by the inconsistences. We will provide a list in the next days.
5- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
CP/CPS issues. Do not affect to any certificate.
OCSP/CRL issue. Certificates are issued correctly. Nevertheless we are detecting wich certificates could have been affected by the inconsistences. We will provide a list in the next days
6- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
CP/DPC issues……
W4CA-1
This issue comes from different interpretation from the auditor about CP and CPS. AC Camerfirma has working mainly with the CPS. AC Camerfirma CP was written in a very basic way in order to describe in detail its activity in the CPS. Information in CPS prevailed over CP. Nevertheless Auditors states that Camerfirma should fix some discrepancies between them like:
Key lengths, Contact information, reuse of keys differ between CPS and CP: >From Camerfirma point of view CPS prevails. Ac Camerfirma fix this inconsistence.
W4CA-2
Disclose all topics of RFC 3649. Ac Camerfirma CPS is RFC 3649 compliance. AC Camerfirma will include all topics in the CP as well.
WBR-1.
Ac Camerfirma has a more close control about changes in the CABFORUM BR policies and modify the update CPS procedure to assure that the latest BR version is covered by our CPS.
WBR-5.
A complete Self-assessment is made over 3% of the EV certificates, and also over the all OV certificates (crt.sh) although the OV self-assessment did not cover the complete investigation as the auditor’s opinion. AC Camerfirma has changed the self-assessment procedure to include a full investigation over the 3% of the OV as well.
OCSP/CRL Issues…
W4CA5, WEB-2
OCSP and PKI/CRL are independent platforms and are synchronized by DDBB triggers. This triggers are not working properly under some circumstances (heavy traffic) and produce errors, others errors comes from behaviors when suspend and activate certificates.
Before this audit report no manual nor technical controls about OCSP/CRL synchronizations were installed.
7- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
AC Camerfirma has made changes in the CP/CPS to fix the inconsistences found by the auditor and will disseminate the documents and the new procedures to avoid news problems in a future.
AC Camerfirma is working on correcting the imbalances detected and the effective processes to ensure that the information offered by the OCSP and the CRL is the same.
New procedures for self-assessment include full revision of OV certificates.
Best control over changes in the BR version and modifications in AC Camerfirma CP/CPS.
2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization with the PKI DDBB.
2018-09-24 -> fixed all inconsistences found. We've reviewed the complete databases and checked the correct OCSP/PKI/CRL alignment, correcting the problems found.
2018-10-01 -> Technical control to avoid inconsistences. We've improving the execution of the triggers and develop the controls that confirm their correct operation.
018-10-01 -> timely reports (weekly to monthly basic) to assure technical controls are working and no new inconsistences are produced.
1- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
As a result of the annual Webtrst CA BR EV AC Camerfirma has been required by our auditors by means a Qualified Audit Reports a series of changes.
W4CA-1. Some discrepancies between CPS and CP
W4CA-2. Some CPs do not disclose all topics in RFC3647
W4CA-3. Camerfirma had issued certificates with error (already reported
https://bugzilla.mozilla.org/show_bug.cgi?id=1431164).
W4CA-4. Camerfirma had not revoked certificates within the time frame in accordance with the disclosed business practices (already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977)
W4CA5. For a few certificates OCSP information was inconsistent between the OCSP and CRL service under certain circumstances.
WBR-1. No sufficient controls to ensure that the CA implements the latest version of the Baseline Requirements.
WBR-2. Camerfirma had issued certificates with errors according to the CA/B Forum requirements. (Already reported
https://bugzilla.mozilla.org/show_bug.cgi?id=1431164)
WBR-3. Investigation of Certificate Problem Reports within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
WBR-4. During our procedures, we noted that for some revocation requests the subscriber Certificates were not revoked within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
WBR-5. Not evidence self-assessments on at least a quarterly basis against a randomly selected sample of at least three percent of the Certificates issued.
WEV-1. Camerfirma had issued certificates with errors according to the CA/B Forum requirements. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1431164)
WEB-2. For a few certificates OCSP information was inconsistent between the OCSP and CRL service under certain circumstances.
WEB-3. During our procedures, we noted that for some revocation requests the subscriber Certificates were not revoked within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
WEB4. Investigation of Certificate Problem Reports within 24 hours. (Already reported https://bugzilla.mozilla.org/show_bug.cgi?id=1390977).
2- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
During the Audit process our auditors detected some differences answers form OCSP services and CRL.
We detected some problems in the Trigger system that synchronize PKI platform and the OCSP platform. We decided to perform a full check in the OCSP platform and fix the inconsistences discovered.
2018-07-14 -> Release of the Qualified Audit Report
2018-09-20 -> CP/CPS modification & clarification published (W4CA-1 W4CA-2 WBR-1 WBR-5)
2018-09-10 -> Complete DDBB OCSP/PKI/CRL reviewed and fixed (W4CA-5 WEV-2)
2018-09-17 -> technical controls and synchronization reports deployed. (W4CA-5 WEV-2)
October-2018 -> Depending on the Auditor availability PIT Audit.
3- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
CP/CPS issues are certificate are not a certificate issuing problem.
OCSP/CRL We have no found new issues in our OCSP manual controls. All certificates are correctly issued.
4- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
CP/CPS issues. Do not affect to any certificate.
OCSP/CRL issue. Certificates are issued correctly. Nevertheless we are detecting wich certificates could have been affected by the inconsistences. We will provide a list in the next days.
5- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
CP/CPS issues. Do not affect to any certificate.
OCSP/CRL issue. Certificates are issued correctly. Nevertheless we are detecting wich certificates could have been affected by the inconsistences. We will provide a list in the next days
6- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
CP/DPC issues……
W4CA-1
This issue comes from different interpretation from the auditor about CP and CPS. AC Camerfirma has working mainly with the CPS. AC Camerfirma CP was written in a very basic way in order to describe in detail its activity in the CPS. Information in CPS prevailed over CP. Nevertheless Auditors states that Camerfirma should fix some discrepancies between them like:
Key lengths, Contact information, reuse of keys differ between CPS and CP: >From Camerfirma point of view CPS prevails. Ac Camerfirma fix this inconsistence.
W4CA-2
Disclose all topics of RFC 3649. Ac Camerfirma CPS is RFC 3649 compliance. AC Camerfirma will include all topics in the CP as well.
WBR-1.
Ac Camerfirma has a more close control about changes in the CABFORUM BR policies and modify the update CPS procedure to assure that the latest BR version is covered by our CPS.
WBR-5.
A complete Self-assessment is made over 3% of the EV certificates, and also over the all OV certificates (crt.sh) although the OV self-assessment did not cover the complete investigation as the auditor’s opinion. AC Camerfirma has changed the self-assessment procedure to include a full investigation over the 3% of the OV as well.
OCSP/CRL Issues…
W4CA5, WEB-2
OCSP and PKI/CRL are independent platforms and are synchronized by DDBB triggers. This triggers are not working properly under some circumstances (heavy traffic) and produce errors, others errors comes from behaviors when suspend and activate certificates.
Before this audit report no manual nor technical controls about OCSP/CRL synchronizations were installed.
7- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
AC Camerfirma has made changes in the CP/CPS to fix the inconsistences found by the auditor and will disseminate the documents and the new procedures to avoid news problems in a future.
AC Camerfirma is working on correcting the imbalances detected and the effective processes to ensure that the information offered by the OCSP and the CRL is the same.
2018-07-14 -> Qualified Audit Report
2018-09-17 -> CPS & CP's new versions will be disclosed
New procedures and CPS/CP versions will be distributed among all affected people in other to avoid new differences between CP/CPS
2018-09-17 -> CPS & CP's new versions will be disclosed
New procedures for self-assessment include full revision of OV certificates.
Best control over changes in the BR version and modifications in AC Camerfirma CP/CPS.
2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization with the PKI DDBB.
2018-09-24 -> fixed all inconsistences found. We've reviewed the complete databases and checked the correct OCSP/PKI/CRL alignment, correcting the problems found.
2018-10-01 -> Technical control to avoid inconsistences. We've improving the execution of the triggers and develop the controls that confirm their correct operation.
018-10-01 -> timely reports (weekly to monthly basic) to assure technical controls are working and no new inconsistences are produced.
Wayne Thayer
Sep 4, 2018, 6:13:58 PM9/4/18
to Ramiro Muñoz Muñoz, mozilla-dev-security-policy
Thank you for this response Ramiro. I have copied this to the bug [1] and
have described Mozilla's expectations for point-in-time audits that confirm
that these issues have been resolved.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
have described Mozilla's expectations for point-in-time audits that confirm
that these issues have been resolved.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
> 2018-07-14 -> Qualified Audit Report
> 2018-09-17 -> CPS & CP's new versions will be disclosed
> 2018-09-17 -> CPS & CP's new versions will be disclosed
> New procedures and CPS/CP versions will be distributed among all affected
> people in other to avoid new differences between CP/CPS
> New procedures for self-assessment include full revision of OV
> certificates.
> Best control over changes in the BR version and modifications in AC
> Camerfirma CP/CPS.
> 2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization
> with the PKI DDBB.
> 2018-09-24 -> fixed all inconsistences found. We've reviewed the complete
> databases and checked the correct OCSP/PKI/CRL alignment, correcting the
> problems found.
> 2018-10-01 -> Technical control to avoid inconsistences. We've improving
> the execution of the triggers and develop the controls that confirm their
> correct operation.
> 018-10-01 -> timely reports (weekly to monthly basic) to assure technical
> controls are working and no new inconsistences are produced.
>
>
> people in other to avoid new differences between CP/CPS
> New procedures for self-assessment include full revision of OV
> certificates.
> Best control over changes in the BR version and modifications in AC
> Camerfirma CP/CPS.
> 2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization
> with the PKI DDBB.
> 2018-09-24 -> fixed all inconsistences found. We've reviewed the complete
> databases and checked the correct OCSP/PKI/CRL alignment, correcting the
> problems found.
> 2018-10-01 -> Technical control to avoid inconsistences. We've improving
> the execution of the triggers and develop the controls that confirm their
> correct operation.
> 018-10-01 -> timely reports (weekly to monthly basic) to assure technical
> controls are working and no new inconsistences are produced.
>
>
Wayne Thayer
Sep 26, 2018, 6:38:25 PM9/26/18
to Ramiro Muñoz Muñoz, mozilla-dev-security-policy
Hello Ramiro,
On Tue, Sep 4, 2018 at 3:13 PM Wayne Thayer <wth...@mozilla.com> wrote:
> Thank you for this response Ramiro. I have copied this to the bug [1] and
> have described Mozilla's expectations for point-in-time audits that confirm
> that these issues have been resolved.
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
>
> On Tue, Sep 4, 2018 at 5:47 AM ramirommunoz--- via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>>
>> 7- List of steps your CA is taking to resolve the situation and ensure
>> such issuance will not be repeated in the future, accompanied with a
>> timeline of when your CA expects to accomplish these things.
>>
>> AC Camerfirma has made changes in the CP/CPS to fix the inconsistences
>> found by the auditor and will disseminate the documents and the new
>> procedures to avoid news problems in a future.
>> AC Camerfirma is working on correcting the imbalances detected and the
>> effective processes to ensure that the information offered by the OCSP and
>> the CRL is the same.
above, and timing for the point-in-time audit that will confirm that these
problems have been fixed?
On Tue, Sep 4, 2018 at 3:13 PM Wayne Thayer <wth...@mozilla.com> wrote:
> Thank you for this response Ramiro. I have copied this to the bug [1] and
> have described Mozilla's expectations for point-in-time audits that confirm
> that these issues have been resolved.
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
>
> On Tue, Sep 4, 2018 at 5:47 AM ramirommunoz--- via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>>
>> 7- List of steps your CA is taking to resolve the situation and ensure
>> such issuance will not be repeated in the future, accompanied with a
>> timeline of when your CA expects to accomplish these things.
>>
>> AC Camerfirma has made changes in the CP/CPS to fix the inconsistences
>> found by the auditor and will disseminate the documents and the new
>> procedures to avoid news problems in a future.
>> AC Camerfirma is working on correcting the imbalances detected and the
>> effective processes to ensure that the information offered by the OCSP and
>> the CRL is the same.
>> 2018-07-14 -> Qualified Audit Report
>> 2018-09-17 -> CPS & CP's new versions will be disclosed
>> 2018-09-17 -> CPS & CP's new versions will be disclosed
>> New procedures and CPS/CP versions will be distributed among all affected
>> people in other to avoid new differences between CP/CPS
>> New procedures for self-assessment include full revision of OV
>> certificates.
>> Best control over changes in the BR version and modifications in AC
>> Camerfirma CP/CPS.
>> 2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization
>> with the PKI DDBB.
>> 2018-09-24 -> fixed all inconsistences found. We've reviewed the complete
>> databases and checked the correct OCSP/PKI/CRL alignment, correcting the
>> problems found.
>> 2018-10-01 -> Technical control to avoid inconsistences. We've improving
>> the execution of the triggers and develop the controls that confirm their
>> correct operation.
>> 018-10-01 -> timely reports (weekly to monthly basic) to assure technical
>> controls are working and no new inconsistences are produced.
>>
>> Will you please provide an update on the remediation steps described
>> people in other to avoid new differences between CP/CPS
>> New procedures for self-assessment include full revision of OV
>> certificates.
>> Best control over changes in the BR version and modifications in AC
>> Camerfirma CP/CPS.
>> 2018-09-17 -> Finish a full review of the OCSP DDBB and synchronization
>> with the PKI DDBB.
>> 2018-09-24 -> fixed all inconsistences found. We've reviewed the complete
>> databases and checked the correct OCSP/PKI/CRL alignment, correcting the
>> problems found.
>> 2018-10-01 -> Technical control to avoid inconsistences. We've improving
>> the execution of the triggers and develop the controls that confirm their
>> correct operation.
>> 018-10-01 -> timely reports (weekly to monthly basic) to assure technical
>> controls are working and no new inconsistences are produced.
>>
above, and timing for the point-in-time audit that will confirm that these
problems have been fixed?
Ramiro Muñoz
Sep 27, 2018, 3:42:46 AM9/27/18
to Wayne Thayer, Ramiro Muñoz Muñoz, mozilla-dev-security-policy
Hi Wayne
All problems have already been resolved from our side and we wait for the
PIT audit planned for the next week.
We will be able to provide the PIT before October 31th.
Best regards
Ramiro Muñoz Muñoz
AC Camerfirma SA.
CTO, Exploitation Manager, CISA.
+34 619 746 291 · ram...@camerfirma.com.
https://www.linkedin.com/in/ramirom.
________________________________________
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener
información CONFIDENCIAL, siendo para uso exclusivo del destinatario,
quedando prohibida su divulgación copia o distribución a terceros. Si Vd. ha
recibido este mensaje erróneamente, se ruega lo notifique al remitente y
proceda a su borrado.
De conformidad con lo establecido en el Reglamento UE 2016/679 de 27 de
abril de 2016 General de Protección de Datos, se le informa que la empresa
AC CAMERFIRMA, S.A. tratará la información que nos facilita con el exclusivo
fin de cumplir con las obligaciones derivadas de la relación comercial o
contractual adquirida con usted y que sus datos no podrán ser objeto de otro
tratamiento ni de cesión a terceros salvo en los casos en que exista una
obligación legal.
Usted tiene derecho a obtener confirmación acerca del tratamiento de sus
datos personales, y a ejercer sus derechos de acceso, rectificación,
supresión, limitación y portabilidad en el tratamiento, dirigiéndose a AC
CAMERFIRMA, S.A., mediante comunicación escrita remitida a la dirección C/
Ribera del Loira 12 (28042) Madrid, o a la dirección electrónica
juri...@camerfirma.com o a través de la web de incidencias disponible en la
página web http://webcrm.camerfirma.com/incidencias/incidencias.php
[EN]
This message, and if applicable, any file attached to it, may contain
CONFIDENTIAL information for the exclusive use of the recipient, being
prohibited its disclosure copy or distribution to third parties. If you have
received this message incorrectly, please notify the sender and proceed with
its deletion.
In accordance with the provisions of the EU Regulation 2016/679 of April 27,
2016 General Data Protection, you are informed that the company AC
CAMERFIRMA, S.A. will treat the information you provide us with the sole
purpose of complying with the obligations derived from the commercial or
contractual relationship acquired with you and that your data will not be
subject to another treatment or assignment to third parties except in cases
where there is an legal obligation.
You have the right to obtain confirmation about your personal data
treatement, and to exercise your rights of access, rectification, deletion,
limitation and portability, contacting AC CAMERFIRMA, SA, by written
communication sent to the address C / Ribera del Loira 12 (28042) Madrid, or
to the legal address juri...@camerfirma.com or through the website
http://webcrm.camerfirma.com/incidencias/incidencias.php
-----Mensaje original-----
De: dev-security-policy
[mailto:dev-security-...@lists.mozilla.org] En nombre de Wayne
Thayer via dev-security-policy
Enviado el: jueves, 27 de septiembre de 2018 0:38
Para: Ramiro Muñoz Muñoz <ramiro...@gmail.com>
CC: mozilla-dev-security-policy
<mozilla-dev-s...@lists.mozilla.org>
Asunto: Re: AC Camerfirma's CP & CPS disclosure
Hello Ramiro,
On Tue, Sep 4, 2018 at 3:13 PM Wayne Thayer <wth...@mozilla.com> wrote:
> Thank you for this response Ramiro. I have copied this to the bug [1]
> and have described Mozilla's expectations for point-in-time audits
> that confirm that these issues have been resolved.
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
>
> On Tue, Sep 4, 2018 at 5:47 AM ramirommunoz--- via dev-security-policy
> < dev-secur...@lists.mozilla.org> wrote:
>
>>
>> 7- List of steps your CA is taking to resolve the situation and
>> ensure such issuance will not be repeated in the future, accompanied
>> with a timeline of when your CA expects to accomplish these things.
>>
>> AC Camerfirma has made changes in the CP/CPS to fix the
>> inconsistences found by the auditor and will disseminate the
>> documents and the new procedures to avoid news problems in a future.
>> AC Camerfirma is working on correcting the imbalances detected and
>> the effective processes to ensure that the information offered by the
>> OCSP and the CRL is the same.
All problems have already been resolved from our side and we wait for the
PIT audit planned for the next week.
We will be able to provide the PIT before October 31th.
Best regards
Ramiro Muñoz Muñoz
AC Camerfirma SA.
CTO, Exploitation Manager, CISA.
+34 619 746 291 · ram...@camerfirma.com.
https://www.linkedin.com/in/ramirom.
________________________________________
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener
información CONFIDENCIAL, siendo para uso exclusivo del destinatario,
quedando prohibida su divulgación copia o distribución a terceros. Si Vd. ha
recibido este mensaje erróneamente, se ruega lo notifique al remitente y
proceda a su borrado.
De conformidad con lo establecido en el Reglamento UE 2016/679 de 27 de
abril de 2016 General de Protección de Datos, se le informa que la empresa
AC CAMERFIRMA, S.A. tratará la información que nos facilita con el exclusivo
fin de cumplir con las obligaciones derivadas de la relación comercial o
contractual adquirida con usted y que sus datos no podrán ser objeto de otro
tratamiento ni de cesión a terceros salvo en los casos en que exista una
obligación legal.
Usted tiene derecho a obtener confirmación acerca del tratamiento de sus
datos personales, y a ejercer sus derechos de acceso, rectificación,
supresión, limitación y portabilidad en el tratamiento, dirigiéndose a AC
CAMERFIRMA, S.A., mediante comunicación escrita remitida a la dirección C/
Ribera del Loira 12 (28042) Madrid, o a la dirección electrónica
juri...@camerfirma.com o a través de la web de incidencias disponible en la
página web http://webcrm.camerfirma.com/incidencias/incidencias.php
[EN]
This message, and if applicable, any file attached to it, may contain
CONFIDENTIAL information for the exclusive use of the recipient, being
prohibited its disclosure copy or distribution to third parties. If you have
received this message incorrectly, please notify the sender and proceed with
its deletion.
In accordance with the provisions of the EU Regulation 2016/679 of April 27,
2016 General Data Protection, you are informed that the company AC
CAMERFIRMA, S.A. will treat the information you provide us with the sole
purpose of complying with the obligations derived from the commercial or
contractual relationship acquired with you and that your data will not be
subject to another treatment or assignment to third parties except in cases
where there is an legal obligation.
You have the right to obtain confirmation about your personal data
treatement, and to exercise your rights of access, rectification, deletion,
limitation and portability, contacting AC CAMERFIRMA, SA, by written
communication sent to the address C / Ribera del Loira 12 (28042) Madrid, or
to the legal address juri...@camerfirma.com or through the website
http://webcrm.camerfirma.com/incidencias/incidencias.php
-----Mensaje original-----
De: dev-security-policy
[mailto:dev-security-...@lists.mozilla.org] En nombre de Wayne
Thayer via dev-security-policy
Enviado el: jueves, 27 de septiembre de 2018 0:38
Para: Ramiro Muñoz Muñoz <ramiro...@gmail.com>
CC: mozilla-dev-security-policy
<mozilla-dev-s...@lists.mozilla.org>
Asunto: Re: AC Camerfirma's CP & CPS disclosure
Hello Ramiro,
On Tue, Sep 4, 2018 at 3:13 PM Wayne Thayer <wth...@mozilla.com> wrote:
> Thank you for this response Ramiro. I have copied this to the bug [1]
> and have described Mozilla's expectations for point-in-time audits
> that confirm that these issues have been resolved.
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
>
> On Tue, Sep 4, 2018 at 5:47 AM ramirommunoz--- via dev-security-policy
> < dev-secur...@lists.mozilla.org> wrote:
>
>>
>> 7- List of steps your CA is taking to resolve the situation and
>> ensure such issuance will not be repeated in the future, accompanied
>> with a timeline of when your CA expects to accomplish these things.
>>
>> AC Camerfirma has made changes in the CP/CPS to fix the
>> inconsistences found by the auditor and will disseminate the
>> documents and the new procedures to avoid news problems in a future.
>> AC Camerfirma is working on correcting the imbalances detected and
>> the effective processes to ensure that the information offered by the
>> OCSP and the CRL is the same.
>> 2018-07-14 -> Qualified Audit Report
>> 2018-09-17 -> CPS & CP's new versions will be disclosed New
>> procedures and CPS/CP versions will be distributed among all affected
>> people in other to avoid new differences between CP/CPS New
>> procedures for self-assessment include full revision of OV
>> certificates.
>> Best control over changes in the BR version and modifications in AC
>> Camerfirma CP/CPS.
>> 2018-09-17 -> Finish a full review of the OCSP DDBB and
>> synchronization with the PKI DDBB.
>> 2018-09-24 -> fixed all inconsistences found. We've reviewed the
>> complete databases and checked the correct OCSP/PKI/CRL alignment,
>> correcting the problems found.
>> 2018-10-01 -> Technical control to avoid inconsistences. We've
>> improving the execution of the triggers and develop the controls that
>> confirm their correct operation.
>> 018-10-01 -> timely reports (weekly to monthly basic) to assure
>> technical controls are working and no new inconsistences are produced.
>>
>> Will you please provide an update on the remediation steps described
above, and timing for the point-in-time audit that will confirm that these
problems have been fixed?
>> procedures and CPS/CP versions will be distributed among all affected
>> people in other to avoid new differences between CP/CPS New
>> procedures for self-assessment include full revision of OV
>> certificates.
>> Best control over changes in the BR version and modifications in AC
>> Camerfirma CP/CPS.
>> 2018-09-17 -> Finish a full review of the OCSP DDBB and
>> synchronization with the PKI DDBB.
>> 2018-09-24 -> fixed all inconsistences found. We've reviewed the
>> complete databases and checked the correct OCSP/PKI/CRL alignment,
>> correcting the problems found.
>> 2018-10-01 -> Technical control to avoid inconsistences. We've
>> improving the execution of the triggers and develop the controls that
>> confirm their correct operation.
>> 018-10-01 -> timely reports (weekly to monthly basic) to assure
>> technical controls are working and no new inconsistences are produced.
>>
>> Will you please provide an update on the remediation steps described
above, and timing for the point-in-time audit that will confirm that these
problems have been fixed?
Wayne Thayer
Oct 31, 2018, 6:39:04 PM10/31/18
to mozilla-dev-security-policy, Ramiro Muñoz Muñoz, Ramiro Muñoz
Camerfirma has delivered point-in-time audits as required by Mozilla in
response to the annual audit statements we received in July containing
multiple qualifications. The new audit statements along with the history of
this issue can be found at
https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
In my opinion, Camerfirma has completed their remediation of this issue.
Please comment here or in the bug if you have any concerns.
- Wayne
On Thu, Sep 27, 2018 at 12:42 AM Ramiro Muñoz <ram...@camerfirma.com>
wrote:
response to the annual audit statements we received in July containing
multiple qualifications. The new audit statements along with the history of
this issue can be found at
https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
In my opinion, Camerfirma has completed their remediation of this issue.
Please comment here or in the bug if you have any concerns.
- Wayne
On Thu, Sep 27, 2018 at 12:42 AM Ramiro Muñoz <ram...@camerfirma.com>
wrote:
> >> 2018-07-14 -> Qualified Audit Report
> >> 2018-09-17 -> CPS & CP's new versions will be disclosed New
> >> procedures and CPS/CP versions will be distributed among all affected
> >> people in other to avoid new differences between CP/CPS New
> >> procedures for self-assessment include full revision of OV
> >> certificates.
> >> Best control over changes in the BR version and modifications in AC
> >> Camerfirma CP/CPS.
> >> 2018-09-17 -> Finish a full review of the OCSP DDBB and
> >> synchronization with the PKI DDBB.
> >> 2018-09-24 -> fixed all inconsistences found. We've reviewed the
> >> complete databases and checked the correct OCSP/PKI/CRL alignment,
> >> correcting the problems found.
> >> 2018-10-01 -> Technical control to avoid inconsistences. We've
> >> improving the execution of the triggers and develop the controls that
> >> confirm their correct operation.
> >> 018-10-01 -> timely reports (weekly to monthly basic) to assure
> >> technical controls are working and no new inconsistences are produced.
> >>
> >> Will you please provide an update on the remediation steps described
> above, and timing for the point-in-time audit that will confirm that these
> problems have been fixed?
> >> procedures and CPS/CP versions will be distributed among all affected
> >> people in other to avoid new differences between CP/CPS New
> >> procedures for self-assessment include full revision of OV
> >> certificates.
> >> Best control over changes in the BR version and modifications in AC
> >> Camerfirma CP/CPS.
> >> 2018-09-17 -> Finish a full review of the OCSP DDBB and
> >> synchronization with the PKI DDBB.
> >> 2018-09-24 -> fixed all inconsistences found. We've reviewed the
> >> complete databases and checked the correct OCSP/PKI/CRL alignment,
> >> correcting the problems found.
> >> 2018-10-01 -> Technical control to avoid inconsistences. We've
> >> improving the execution of the triggers and develop the controls that
> >> confirm their correct operation.
> >> 018-10-01 -> timely reports (weekly to monthly basic) to assure
> >> technical controls are working and no new inconsistences are produced.
> >>
> >> Will you please provide an update on the remediation steps described
> above, and timing for the point-in-time audit that will confirm that these
> problems have been fixed?
0 new messages