← Government of The Netherlands, PKIoverheid (Logius) cases
Bugzilla #1843265
CCADB Compliance
PKIoverheid: Delayed audit statements for intermediate CAs
RESOLVED
FIXED
Government of The Netherlands, PKIoverheid (Logius)
AI Summary
The PKIoverheid CA experienced delays in obtaining audit statements for several intermediate CAs due to the transition to a new delivery platform by DigiCert and QuoVadis. This situation arose as the new CAs were not included in the upcoming annual audit, which could violate Mozilla's Root Policy. The CA has since communicated with Mozilla and is actively working on remediation actions, including updating incident handling procedures and ensuring compliance with audit requirements. The audit for the new platform is expected to conclude by the end of the year.
Chronology
- DigiCert + QuoVadis contacted Logius to arrange signing new issuing CAs.
- Signing of new DigiCert + QuoVadis TSP CAs.
- Logius notices not all valid CAs are in scope for the planned audit.
- Logius files a Bugzilla report regarding the audit delay.
- Logius receives the audit statement from DigiCert + QuoVadis.
Participants
Jochem van den Berge
Mathew Hodson
David Weissenberg
Ben Wilson
External References
Similar Local Cases
SECOM: Intermediate CA Certificates Missing from Audit Reports
DigiCert: Non-audited, non-technically-constrained intermediate certificates
Chunghwa Telecom: Failure to Submit Annual CCADB Self-Assessment 2023 by GTLSCA.
TWCA: Intermediate CA Certificate Missing from Audit Reports
Sectigo: CCADB failed ALV - Ensured Root CA
DigiCert: Intermediate Cert(s) not disclosed in CCADB
DigiCert: Missing audits for Intermediate certificates
Consorci AOC: Qualified audit statements