Continuing to look through the audits, I happened to notice a few other
things that stood out, some more pressing than others.

More pressing:
I can find no disclosure with Salesforce or of at least two CAs that
are listed 'in scope' of the audit report, as part of

This audit report identifies the "SureID Inc. CA2" and "SureID Inc. Device
CA2" as within scope for this audit. It would be useful to understand their
lack of disclosure, relative to the audits and to Section 5.3.2 of the
inclusion policy.

Less pressing (as it relates to e-mail):
One other question with disclosing audits: My understanding of
security-group/certs/policy/ , particularly Section 5.3.2 and Section, is that for CA certificates that are enabled for the email trust
bit, the CA, and all subordinate CAs capable of issuing e-mail
certificates, must have a WebTrust for CAs audit, and must be publicly
disclosed, is that correct?

Looking through CAs such as , which is disclosed ( ), it seems there are a substantial number of
subordinate CAs capable of issuing e-mail certificates that are not
disclosed. I thought this might be due to scaling the CCADB, but I note
that Microsoft's Trusted Root Requirements have required the same audits (
trusted-root-certificate-program-audit-requirements.aspx#A_WebTrust_Audits )
for some time. Do you or Kathleen know the status of these disclosures and
dev-security-policy mailing list

Reply via email to