As hinted at in my earlier email about what is expected in audit reports, I've been looking at WebTrust audit reports from many CAs in the Mozilla program and those applying to be in the program.
Since there has been lots of discussion about WoSign and Startcom recently, I took a look at their latest reports. I thought others might be interested in the result. Thanks, Peter Review of WoSign audit reports for the period 1 January 2015 to 31 December 2015 Good: - Uses AICPA standards - Uses current criteria versions Bad: - Only covers three roots, not subordinate CAs (true for all three reports: CA, BR, and EV) - Does not provide assurance that subordinate CA certificate requests are accurate, authenticated, and approved Really Bad: - Includes 'emphasis of matters' which show failures of controls but still claims to be an unqualified opinion - The EV opinion does not note that some of the EV certificates using a SHA-1 hash in the signature have expiration dates after 2016-12-31 Review of StartCom audit reports for the period 1 January 2015 to 31 December 2015 Good: - Uses AICPA standards - Uses current criteria versions Bad: - Only covers two roots, not subordinate CAs (true for all three reports: CA, BR, and EV) - Does not provide assurance that subordinate CA certificate requests are accurate, authenticated, and approved - Does not provide assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy