Frank Hecker wrote:
I am currently working with SECOM Trust to determine the status of the
reports for Security Communication EV RootCA1, which is the new EV root
that SECOM Trust is requesting to be included (per bug 394419). I will
post more information as I have it.
OK, I now have more information. SECOM Trust has provided me copies of
their current WebTrust for CAs audit report and WebTrust EV audit report
for Security Communication EV Root CA1. (Incidentally, the delay on this
was because both Kathleen and I were having problems with
over-aggressive spam filters causing problems with our receiving email
messages from SECOM Trust. SECOM Trust actually sent us the reports some
time ago, but we didn't notice.)
Both reports are in English, are dated October 31, 2008, and cover the
period from June 9, 2007, to June 8, 2008. The auditor for both reports
is PricewaterhouseCoopers Aarata <http://www.pwcaarata.or.jp/>. The
reports are perfectly in order, with no issues noted in terms of SECOM
Trust's operation. Based on these reports, it appears that SECOM Trust
fulfills the requirements of our Mozilla policy for CAs that want to
have their roots included and EV-enabled.
Unfortunately I cannot post these reports on the public Bugzilla site.
As I understand it, the situation is that the Japanese Institute of
Certified Public Accountants (JICPA), the organization overseeing the
WebTrust program in Japan, has not yet issued guidance to Japanese
WebTrust auditors regarding how WebTrust EV reports are to be handled.
(This may be related to the fact that the WebTrust.org site does not yet
publish EV reports.) In the absence of such guidance PWC Aarata has
asked SECOM Trust to limit dissemination of these two reports to
official representatives of vendors participating in the CA/Browser
Forum, and the reports themselves have a condition to that effect.
As far as I am concerned there is nothing whatsoever in these reports
that is sensitive information, that is embarrassing to SECOM Trust or
PWC Aarata, or that is otherwise unsuitable for public view. The reports
are similar to (and to a large extent word-for-word identical to) other
WebTrust for CAs reports or WebTrust EV reports that we've seen for
other CAs. I personally think that JICPA and/or PWC Aarata are being
overly cautious with regard to dissemination of these reports [1], and I
encourage them to change their policies.
Normally we require audit reports to be public, in accordance with our
Mozilla CA certificate policy. However I've made an exception to this
requirement at least once in the past, and I'm going to make an
exception again in this case. SECOM Trust did not cause this situation,
and I am not going to penalize them for it. I am personally vouching for
the contents of these reports, and I'd be glad to have Kathleen Wilson
and/or Gen Kanai of Mozilla Japan (who also have copies of the reports)
do so as well.
However since we received the reports from SECOM Trust and not from PWC
Aarata, we do need to verify that they are indeed genuine reports, just
as we have done for other WebTrust reports that were published on the
WebTrust.org site. Kathleen will be working with Gen to do that final
verification.
I'm going to be making a decision on SECOM Trust's request before the
end of the day on Friday, December 12. However because of the mix-up
over the audit reports and the need to do verification of their
genuineness, it's likely that I'll just make a preliminary decision and
postpone a final decision until sometime next week.
Frank
[1] I also think that the people running the WebTrust program may come
in for some blame here. It is now over a year since the WebTrust EV
criteria were finalized and WebTrust-authorized auditors have been doing
WebTrust EV audits, and apparently there are still no procedures to get
EV reports published at the WebTrust.org web site. (At least, I've never
seen an EV report at webtrust.org.) If I recall correctly, one goal of
the EV guidelines and the associated WebTrust EV criteria was to
increase confidence in CAs and the SSL certificates they issue. In my
opinion that goal is not furthered (to put it mildly) if WebTrust EV
reports are treated as semi-private documents that are not generally
available to the public at large.
--
Frank Hecker
hec...@mozillafoundation.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
