On 09/23/2016 10:11 PM, Peter Bowen wrote:
> On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg <
eddy...@startcom.org> wrote:
>> Speaking only for StartCom here, as far as I know and as per auditing
>> standards, all intermediate CAs are audited (no external intermediates
>> existed).
>>
>> As to network security, I believe this is part of the Baseline Requirements
>> audit. But if necessary I can ask our auditors and also WebTrust directly if
>> there is really missing something. I assume that all is included, covered
>> and implied, but should a mistake have happened in the statements made by
>> the auditors I'm sure we can get a corrected statement or explanation.
> I'm super happy that this was all checked. I know other auditors have
> re-issued opinion letters when they missed things unintentionally.
> Maybe you could ask EY to reissue to include the list of SubCAs and
> the full coverage.
Traditionally the intermediate CA certificates were never listed
explicit, at least in our audit reports. Intermediate CA certificates
can change more frequently and I assume that's the reason for it.
I don't like to bother them unnecessarily, but should Mozilla come to
the conclusion that something was indeed missing, I'll go and get it
from them.
> One other question on your report: It says the services were provided
> at Eilat, Israel during the period Jan 1, 2015 to Dec 31, 2015.
> Richard said in an email a few hours ago that the StartCom validation
> team was also in the UK. Did that team not spin up until January 2016
> or later?
The UK team was trained and started to work much later in 2016. Besides
that some of the Israeli personnel is until this very date still in the
UK overseeing the operation there.
But what the audit concerns, this is not part of the 2015 report, that's
correct.