Thanks for your hard work. I wish you can finish check for all other CA's 
report ASAP.

For WoSign, the report covered all 4 roots, not 3 roots.

For StartCom, Eddy can say something about it, StartCom is 1000% independent 
for everything at 2015.


Best Regards,

Richard

-----Original Message-----
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On 
Behalf Of Peter Bowen
Sent: Friday, September 23, 2016 10:54 AM
To: mozilla-dev-security-pol...@lists.mozilla.org 
<dev-security-policy@lists.mozilla.org>
Subject: WoSign and StartCom audit reports

As hinted at in my earlier email about what is expected in audit reports, I've 
been looking at WebTrust audit reports from many CAs in the Mozilla program and 
those applying to be in the program.

Since there has been lots of discussion about WoSign and Startcom recently, I 
took a look at their latest reports.  I thought others might be interested in 
the result.

Thanks,
Peter

Review of WoSign audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers three roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests are 
accurate, authenticated, and approved

Really Bad:
- Includes 'emphasis of matters' which show failures of controls but still 
claims to be an unqualified opinion
- The EV opinion does not note that some of the EV certificates using a SHA-1 
hash in the signature have expiration dates after 2016-12-31


Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests are 
accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate System 
Security Requirements as set forth by the CA/Browser Forum 
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to