April 2017 CA Communication

ACTION 5: AUDIT STATEMENT CONTENTS All audit statements or audit transmittal letters submitted to Mozilla MUST be public-facing (not confidential), provided in English, and must include: + Name of the company being audited + Name and address of the organization performing the audit + Audit period start and end dates -- An audit period is the period of time of CA operations that were examined by the auditor. Audit Periods must not exceed one year in length, and must be contiguous. + Audit statement date, which must be within 90 days of the audit period end date + Audit criteria (including version number) that were used + CA policy documents (with version numbers) referenced during the audit + Distinguished name (Certificate Subject Field) and SHA1 or SHA256 fingerprint of each certificate issuer covered by the audit scope + Clear indication of which in-scope certificate issuers are self-signed. + The word "clean" must be included in audit statements for which no problems were noted. + For ETSI - the attestation should additionally state if the audit was a full audit, and must indicate which parts of the criteria applied (e.g. DVCP, OVCP, PTC-BR, NCP, NCP+, LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), Part 2 (Requirements for trust services Providers issuing EU qualified certificates)). It is the CA's responsibility to communicate these requirements to their auditors.
ACTION 5 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Actalis Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. An audit, regardless of its being based on WebTrust or ETIS criteria, cannot always be a "full audit" as required above. The BRs, in fact, require a point-in-time readiness assessmenmt for new CAs that have not started to issue certificates yet, followed by a full audit with 90 days from start of operations.
Amazon Trust Services Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. The current WebTrust illustrative reports do not include the work "clean". We hope Mozilla will work with the WebTrust Task Force to find mutually agreeable language.
Asseco Data Systems S.A. (previously Unizeto Certum) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Atos Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Autoridad de Certificacion Firmaprofesional Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Buypass Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. We have discussed this with our auditors and they don't use terms like 'clean' or 'qualified' in their audit statement. They don't issue an audit statement in case of problems and the scope section of the audit statement provides all information.
Certicámara Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Certinomis / Docapost Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
China Financial Certification Authority (CFCA) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Chunghwa Telecom Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. We have informed our auditor.
ComSign Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Cybertrust Japan / JCSI Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
D-TRUST Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. I will get back to you with details on how and where DSV publishes Audit Statements.
Dhimyotis / Certigna Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
DigiCert Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Disig, a.s. Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
DocuSign (OpenTrust/Keynectis) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
E-Tugra Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
EDICOM Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Entrust Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
GlobalSign Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. The requirements in Action 5 have already been communicated to our External Auditor.
GoDaddy Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. We communicated these requirements to our auditor. They expressed concern over the inclusion of the word "clean" and said they would discuss this with Mozilla.
Google Trust Services LLC (GTS) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Government of Hong Kong (SAR), Hongkong Post, Certizen Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. Nil
Government of Japan, Ministry of Internal Affairs and Communications Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. Use this space to express concern, ask questions, or qualify your response to ACTION 5. There is no paticular comment.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. We will communicate these requirements to our auditor in order to guarantee future audit statements meet them.
Government of Taiwan, Government Root Certification Authority (GRCA) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. We have informed our auditor.
Government of The Netherlands, PKIoverheid (Logius) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. We contacted our auditor. They’ve stated that all the required items are already listed in the currently issued audit statements. However, the terms “clean” or “qualified” are not used in the certification system (for ETSI) that is employed for our issuing CAs (Trusted Service Providers). There is no such thing as a “qualified” audit for ETSI (the use of “qualified” means a completely different thing in ETSI terminology and could be very confusing if used as required here). Audit statements for ETSI are only issued if the auditor has found no major non-conformities, otherwise no audit statement is issued.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. Our current audit report do not have following items: + CA policy documents (with version numbers) referenced during the audit + Distinguished name (Certificate Subject Field) and SHA1 or SHA256 fingerprint of each certificate issuer covered by the audit scope But, next year we will require theese items to be included.
HARICA Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
IdenTrust Services, LLC Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Internet Security Research Group (ISRG) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Izenpe S.A. Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Krajowa Izba Rozliczeniowa S.A. (KIR) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
LuxTrust Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Microsec Ltd. Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
NetLock Ltd. Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
OISTE Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. This has been communicated to the auditors
PROCERT Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
QuoVadis Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. Auditors generally will not use terms like 'clean' or 'qualified' in their audit statement. WebTrust has standardised templates for audit statements and this requirement would need to be addressed by the WebTrust CA Task Force.
SECOM Trust Systems CO., LTD. Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
SK ID Solutions AS Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Sectigo Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
SecureTrust Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Start Commercial (StartCom) Ltd. Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
SwissSign AG Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Swisscom (Switzerland) Ltd Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Symantec Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. We confirm our understanding. However, we may not be able to provide English translations of all documents by June 1, 2017.
T-Systems International GmbH (Deutsche Telekom) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Taiwan-CA Inc. (TWCA) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Telia Company (formerly TeliaSonera) Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Trustis Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. Our latest Audit Statement was already in preparation when the additional contents requirements were passed to the Auditor, so it was not possible to meet the current contents requirements. Auditors have been requested to provide a replacement Audit Statement with the required information ASAP.
TurkTrust Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
Visa Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters. The WebTrust CA Task Force, which our auditing firm is a member of, does not currently provide an audit statement and/or transmittal letter which the word “clean” is included for which no problems were noted. This is an item that will require resolution within the WebTrust CA Task Force in order to adopt and adhere to this requirement
Web.com Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
WoSign CA Limited Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.
certSIGN Check here to confirm understanding of the above listed requirements for audit statements, and that the CA is responsible for ensuring that their auditors include this information correctly in their audit statements or audit transmittal letters.