Re: WoSign and StartCom audit reports

Mon, 26 Sep 2016 02:11:16 -0700 

On 09/23/2016 10:11 PM, Peter Bowen wrote:

On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg <eddy_n...@startcom.org> wrote:

Speaking only for StartCom here, as far as I know and as per auditing
standards, all intermediate CAs are audited (no external intermediates
existed).

As to network security, I believe this is part of the Baseline Requirements
audit. But if necessary I can ask our auditors and also WebTrust directly if
there is really missing something. I assume that all is included, covered
and implied, but should a mistake have happened in the statements made by
the auditors I'm sure we can get a corrected statement or explanation.

I'm super happy that this was all checked.  I know other auditors have
re-issued opinion letters when they missed things unintentionally.
Maybe you could ask EY to reissue to include the list of SubCAs and
the full coverage.
Traditionally the intermediate CA certificates were never listed explicit, at least in our audit reports. Intermediate CA certificates can change more frequently and I assume that's the reason for it.
I don't like to bother them unnecessarily, but should Mozilla come to the conclusion that something was indeed missing, I'll go and get it from them. 


One other question on your report:  It says the services were provided
at Eilat, Israel during the period Jan 1, 2015 to Dec 31, 2015.
Richard said in an email a few hours ago that the StartCom validation
team was also in the UK.  Did that team not spin up until January 2016
or later?
The UK team was trained and started to work much later in 2016. Besides that some of the Israeli personnel is until this very date still in the UK overseeing the operation there.
But what the audit concerns, this is not part of the 2015 report, that's correct. 

--
Regards
Signer:         Eddy Nigg, Founder
        StartCom Ltd. <http://www.startcom.org>
XMPP:   start...@startcom.org <xmpp:start...@startcom.org>

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to