Re: WoSign and StartCom audit reports

[Peter Bowen]

On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg  wrote:
> On 09/23/2016 05:53 AM, Peter Bowen wrote:
>>
>> Review of StartCom audit reports
>> for the period 1 January 2015 to 31 December 2015
>>
>> Good:
>> - Uses AICPA standards
>> - Uses current criteria versions
>>
>> Bad:
>> - Only covers two roots, not subordinate CAs (true for all three
>> reports: CA, BR, and EV)
>> - Does not provide assurance that subordinate CA certificate requests
>> are accurate, authenticated, and approved
>> - Does not provide assurance that it meets the Network and Certificate
>> System Security Requirements as set forth by the CA/Browser Forum
>
>
>
> Speaking only for StartCom here, as far as I know and as per auditing
> standards, all intermediate CAs are audited (no external intermediates
> existed).
>
> As to network security, I believe this is part of the Baseline Requirements
> audit. But if necessary I can ask our auditors and also WebTrust directly if
> there is really missing something. I assume that all is included, covered
> and implied, but should a mistake have happened in the statements made by
> the auditors I'm sure we can get a corrected statement or explanation.

I'm super happy that this was all checked.  I know other auditors have
re-issued opinion letters when they missed things unintentionally.
Maybe you could ask EY to reissue to include the list of SubCAs and
the full coverage.  I noticed EY Israel got added back to the WebTrust
site, after being unintentionally dropped during the update to remove
non-CA auditors, so that should also enable posting it to the seal
archive.

One other question on your report:  It says the services were provided
at Eilat, Israel during the period Jan 1, 2015 to Dec 31, 2015.
Richard said in an email a few hours ago that the StartCom validation
team was also in the UK.  Did that team not spin up until January 2016
or later?

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom audit reports

[Eddy Nigg]

On 09/23/2016 05:53 AM, Peter Bowen wrote:

Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests
are accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate
System Security Requirements as set forth by the CA/Browser Forum



Speaking only for StartCom here, as far as I know and as per auditing 
standards, all intermediate CAs are audited (no external intermediates 
existed).


As to network security, I believe this is part of the Baseline 
Requirements audit. But if necessary I can ask our auditors and also 
WebTrust directly if there is really missing something. I assume that 
all is included, covered and implied, but should a mistake have happened 
in the statements made by the auditors I'm sure we can get a corrected 
statement or explanation.


--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. 
XMPP:   start...@startcom.org 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom audit reports

[Gervase Markham]

On 23/09/16 06:35, Richard Wang wrote:
> For StartCom, Eddy can say something about it, StartCom is 1000% independent 
> for everything at 2015.

You've said this or something very similar twice now, both times saying
"at 2015". This is probably a language thing, because native English
speakers would not use "at" here.

So can I ask what you mean? Do you mean "1000% independent today", or do
you mean "it was 1000% independent in 2015 (but things may have changed
since)"?

Gerv


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: WoSign and StartCom audit reports

[Richard Wang]

Thanks for your hard work. I wish you can finish check for all other CA's 
report ASAP.

For WoSign, the report covered all 4 roots, not 3 roots.

For StartCom, Eddy can say something about it, StartCom is 1000% independent 
for everything at 2015.


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Peter Bowen
Sent: Friday, September 23, 2016 10:54 AM
To: mozilla-dev-security-pol...@lists.mozilla.org 
<dev-security-policy@lists.mozilla.org>
Subject: WoSign and StartCom audit reports

As hinted at in my earlier email about what is expected in audit reports, I've 
been looking at WebTrust audit reports from many CAs in the Mozilla program and 
those applying to be in the program.

Since there has been lots of discussion about WoSign and Startcom recently, I 
took a look at their latest reports.  I thought others might be interested in 
the result.

Thanks,
Peter

Review of WoSign audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers three roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests are 
accurate, authenticated, and approved

Really Bad:
- Includes 'emphasis of matters' which show failures of controls but still 
claims to be an unqualified opinion
- The EV opinion does not note that some of the EV certificates using a SHA-1 
hash in the signature have expiration dates after 2016-12-31


Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests are 
accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate System 
Security Requirements as set forth by the CA/Browser Forum 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

WoSign and StartCom audit reports

[Peter Bowen]

As hinted at in my earlier email about what is expected in audit
reports, I've been looking at WebTrust audit reports from many CAs in
the Mozilla program and those applying to be in the program.

Since there has been lots of discussion about WoSign and Startcom
recently, I took a look at their latest reports.  I thought others
might be interested in the result.

Thanks,
Peter

Review of WoSign audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers three roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests
are accurate, authenticated, and approved

Really Bad:
- Includes 'emphasis of matters' which show failures of controls but
still claims to be an unqualified opinion
- The EV opinion does not note that some of the EV certificates using
a SHA-1 hash in the signature have expiration dates after 2016-12-31


Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests
are accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate
System Security Requirements as set forth by the CA/Browser Forum
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy