On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 09/23/2016 05:53 AM, Peter Bowen wrote: >> >> Review of StartCom audit reports >> for the period 1 January 2015 to 31 December 2015 >> >> Good: >> - Uses AICPA standards >> - Uses current criteria versions >> >> Bad: >> - Only covers two roots, not subordinate CAs (true for all three >> reports: CA, BR, and EV) >> - Does not provide assurance that subordinate CA certificate requests >> are accurate, authenticated, and approved >> - Does not provide assurance that it meets the Network and Certificate >> System Security Requirements as set forth by the CA/Browser Forum > > > > Speaking only for StartCom here, as far as I know and as per auditing > standards, all intermediate CAs are audited (no external intermediates > existed). > > As to network security, I believe this is part of the Baseline Requirements > audit. But if necessary I can ask our auditors and also WebTrust directly if > there is really missing something. I assume that all is included, covered > and implied, but should a mistake have happened in the statements made by > the auditors I'm sure we can get a corrected statement or explanation.
I'm super happy that this was all checked. I know other auditors have re-issued opinion letters when they missed things unintentionally. Maybe you could ask EY to reissue to include the list of SubCAs and the full coverage. I noticed EY Israel got added back to the WebTrust site, after being unintentionally dropped during the update to remove non-CA auditors, so that should also enable posting it to the seal archive. One other question on your report: It says the services were provided at Eilat, Israel during the period Jan 1, 2015 to Dec 31, 2015. Richard said in an email a few hours ago that the StartCom validation team was also in the UK. Did that team not spin up until January 2016 or later? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
