On 09/23/2016 05:53 AM, Peter Bowen wrote:
Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015
Good:
- Uses AICPA standards
- Uses current criteria versions
Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests
are accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate
System Security Requirements as set forth by the CA/Browser Forum
Speaking only for StartCom here, as far as I know and as per auditing
standards, all intermediate CAs are audited (no external intermediates
existed).
As to network security, I believe this is part of the Baseline
Requirements audit. But if necessary I can ask our auditors and also
WebTrust directly if there is really missing something. I assume that
all is included, covered and implied, but should a mistake have happened
in the statements made by the auditors I'm sure we can get a corrected
statement or explanation.
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: start...@startcom.org <xmpp:start...@startcom.org>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy