← SwissSign AG cases
Bugzilla #1374381
Policy Compliance
SwissSign: BRs require full annual audits
RESOLVED
FIXED
SwissSign AG
AI Summary
The case addresses SwissSign AG's compliance with Mozilla's Baseline Requirements (BRs) for annual audits. SwissSign submitted an audit statement that raised concerns regarding its adequacy, particularly regarding the terminology used and the scope of the audit. Issues included the use of 'point-in-time' audits, which do not meet the BRs' requirement for full annual audits. After discussions, SwissSign provided updated audit statements, but complications arose regarding the coverage of all included roots. The case was ultimately resolved with the acceptance of the updated audits, although concerns about continuity and compliance with Mozilla's policies were highlighted.
Chronology
- Initial audit statement submitted by SwissSign.
- SwissSign responds to concerns about audit terminology.
- New audit reports submitted for review.
- Bug reopened due to concerns about audit compliance.
Participants
Kathleen Wilson
Reinhard Dietrich
Cornelia Enke
Ryan Sleevi
Wayne Thayer
Gervase Markham
External References
Similar Local Cases
SwissSign: Non-BR-Compliant Certificate Issuance
PKIoverheid: No BR Audit for Intermediate CAs technically capable of issuing TLS certs
GoDaddy: Non-BR-Compliant Certificate Issuance
Camerfirma: Govern d'Andorra audits
Izenpe: Non-BR-Compliant Certificate Issuance
EDICOM: Signing SHA-1 OCSP responses with unconstrained certificate
SHA-1 issuance by GlobalSign root
Distrust ISRG Subordinate Certificate and Remove It Until the CA is Compliant with Mozilla Policies