CA/Auditor Compliance

From MozillaWiki
< CA
Jump to: navigation, search

Auditor Compliance

CA Audits play a crucial role in the Web PKI. The WebTrust and ETSI CA audit standards provide criteria and auditor guidance aimed at delivering consistent audit results. But much is still up to the subject matter expertise, diligence, and trustworthiness of the individuals performing the audit, and of the local office of the audit firm that is performing the audit.


Auditors are not themselves audited in a public way that allows for a relatively easy assessment of their performance. As is often the case with CAs, individual issues in which an auditor failed to identify or report a problem can become significant when a pattern develops over time. In order to better track these patterns of concerning auditor actions, Mozilla has begun to create auditor compliance bugs when issues are discovered.


Mozilla does not currently have an “Auditor Policy” that places certain Mozilla-specific requirements on auditors that we accept. Auditors are encouraged but not required to create Bugzilla accounts and respond to their compliance bugs, and to participate in relevant discussions on the mozilla.dev.security.policy mailing list. Mozilla recognizes the unfortunate fact that some audit firms strictly control their employees’ participation in public forums. Unlike CA compliance bugs, auditor compliance bugs may be closed without ever receiving a public response from the auditor.

Disqualified Auditors

Mozilla reserves the right to refuse audits from otherwise qualified auditors - either entire audit firms or specific offices/regions. Mozilla currently refuses audits from:

Open Auditor Compliance Bugs

An auditor compliance bug relates to a concern about an auditor failing to properly detect and report on CA compliance issues that occurred during one or more periods when the CA was audited.

Anyone may create an auditor compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1507376 TÜViT: Issues with T-Systems Audits NEW Matthias Wiedenhorst [auditor-compliance] 2019-01-10T17:57:03Z
1525082 Ernst & Young Poland: KIR OCSP "unknown" status for revoked certificate NEW Wayne Thayer [:wayne] [auditor-compliance] 2019-02-04T19:17:43Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed Auditor Compliance Bugs

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1525412 Ernst & Young Hong Kong: Wosign audit issues RESOLVED Wayne Thayer [:wayne] [auditor-compliance] 2019-02-05T21:30:15Z
1525423 Ernst & Young Israel: Startcom incident RESOLVED Wayne Thayer [:wayne] [auditor-compliance] 2019-02-05T21:55:03Z
1525441 Ernst & Young (Hanyoung) Korea: CrossCert & Korea GPKI audit concerns RESOLVED Wayne Thayer [:wayne] [auditor-compliance] 2019-02-05T22:32:42Z
1525443 KPMG Korea: Korea GPKI audit concerns RESOLVED Wayne Thayer [:wayne] [auditor-compliance] 2019-03-22T22:55:56Z
1525446 Ernst & Young New York: Comodo audit issues RESOLVED Wayne Thayer [:wayne] [auditor-compliance] 2019-02-11T14:48:13Z

5 Total; 0 Open (0%); 5 Resolved (100%); 0 Verified (0%);