CA Audits play a crucial role in the Web PKI. The WebTrust and ETSI CA audit standards provide criteria and auditor guidance aimed at delivering consistent audit results. But much is still up to the subject matter expertise, diligence, and trustworthiness of the individuals performing the audit, and of the local office of the audit firm that is performing the audit.
Auditors are not themselves audited in a public way that allows for a relatively easy assessment of their performance. As is often the case with CAs, individual issues in which an auditor failed to identify or report a problem can become significant when a pattern develops over time. In order to better track these patterns of concerning auditor actions, Mozilla has begun to create auditor compliance bugs when issues are discovered.
Mozilla does not currently have an “Auditor Policy” that places certain Mozilla-specific requirements on auditors that we accept. Auditors are encouraged but not required to create Bugzilla accounts and respond to their compliance bugs, and to participate in relevant discussions on the mozilla.dev.security.policy mailing list. Mozilla recognizes the unfortunate fact that some audit firms strictly control their employees’ participation in public forums. Unlike CA compliance bugs, auditor compliance bugs may be closed without ever receiving a public response from the auditor.
Mozilla reserves the right to refuse audits from otherwise qualified auditors - either entire audit firms or specific offices/regions. Mozilla currently refuses audits from:
- Ernst & Young Hong Kong - this was part of the Wosign remediation plan.
Open Auditor Compliance Bugs
An auditor compliance bug relates to a concern about an auditor failing to properly detect and report on CA compliance issues that occurred during one or more periods when the CA was audited.
Anyone may create an auditor compliance bug as follows:
- Whiteboard = [auditor-compliance]
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed Auditor Compliance Bugs
|ID||Summary||Status||Assigned to||Whiteboard||Last change time|
|1507376||TÜViT: Issues with T-Systems Audits||RESOLVED||Matthias Wiedenhorst||[auditor-compliance]||2020-05-06T19:44:30Z|
|1525082||Ernst & Young Poland: KIR OCSP "unknown" status for revoked certificate||RESOLVED||Ben Wilson||[auditor-compliance]||2020-05-08T17:37:52Z|
|1525412||Ernst & Young Hong Kong: Wosign audit issues||RESOLVED||Wayne Thayer||[auditor-compliance]||2019-02-05T21:30:15Z|
|1525423||Ernst & Young Israel: Startcom incident||RESOLVED||Wayne Thayer||[auditor-compliance]||2019-02-05T21:55:03Z|
|1525441||Ernst & Young (Hanyoung) Korea: CrossCert & Korea GPKI audit concerns||RESOLVED||Wayne Thayer||[auditor-compliance]||2019-02-05T22:32:42Z|
|1525443||KPMG Korea: Korea GPKI audit concerns||RESOLVED||Wayne Thayer||[auditor-compliance]||2019-03-22T22:55:56Z|
|1525446||Ernst & Young New York: Comodo audit issues||RESOLVED||Wayne Thayer||[auditor-compliance]||2020-07-28T12:09:41Z|
|1582596||Ernst & Young Virginia: Audit issues||RESOLVED||Ben Wilson||[auditor-compliance]||2020-05-06T19:42:57Z|
|1662533||QSCert: Insufficient Evidence of Auditor Qualifications.||RESOLVED||Peter Miskovic||[auditor-compliance]||2020-09-30T18:59:56Z|
9 Total; 0 Open (0%); 9 Resolved (100%); 0 Verified (0%);