WoSign and StartCom audit reports

[Peter Bowen]

As hinted at in my earlier email about what is expected in audit
reports, I've been looking at WebTrust audit reports from many CAs in
the Mozilla program and those applying to be in the program.

Since there has been lots of discussion about WoSign and Startcom
recently, I took a look at their latest reports. I thought others
might be interested in the result.

Thanks,
Peter

Review of WoSign audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers three roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests
are accurate, authenticated, and approved

Really Bad:
- Includes 'emphasis of matters' which show failures of controls but
still claims to be an unqualified opinion
- The EV opinion does not note that some of the EV certificates using
a SHA-1 hash in the signature have expiration dates after 2016-12-31


Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests
are accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate
System Security Requirements as set forth by the CA/Browser Forum

[Richard Wang]

Thanks for your hard work. I wish you can finish check for all other CA's report ASAP.

For WoSign, the report covered all 4 roots, not 3 roots.

For StartCom, Eddy can say something about it, StartCom is 1000% independent for everything at 2015.


Best Regards,

Richard

- Does not provide assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum _______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

[Gervase Markham]

On 23/09/16 06:35, Richard Wang wrote:
> For StartCom, Eddy can say something about it, StartCom is 1000% independent for everything at 2015.

You've said this or something very similar twice now, both times saying
"at 2015". This is probably a language thing, because native English
speakers would not use "at" here.

So can I ask what you mean? Do you mean "1000% independent today", or do
you mean "it was 1000% independent in 2015 (but things may have changed
since)"?

Gerv

[Richard Wang]

Yes, 100% independent in 2015. So please don't tie two companies together for anything happened in 2015, thanks.

From Dec. 20th - 22nd 2015, the StartCom new website - www.startssl.com moved to USA IDC that designed by StartCom Chinese R&D team. From that time StartCom shared many facilities with WoSign in Qihoo 360 IDC for security. But still two separate system including BUY/CMS/PKI, and two separate team including customer service team and validation team.

Best Regards,

Richard

-----Original Message-----

From: Gervase Markham [mailto:ge...@mozilla.org]
Sent: Friday, September 23, 2016 5:41 PM
To: Richard Wang <ric...@wosign.com>; Peter Bowen <pzb...@gmail.com>; mozilla-dev-s...@lists.mozilla.org
Subject: Re: WoSign and StartCom audit reports

On 23/09/16 06:35, Richard Wang wrote:

> For StartCom, Eddy can say something about it, StartCom is 1000% independent for everything at 2015.

[Gervase Markham]

On 23/09/16 10:56, Richard Wang wrote:
> Yes, 100% independent in 2015. So please don't tie two companies
> together for anything happened in 2015, thanks.

Oh, I see what you mean. :-)

> From Dec. 20th - 22nd 2015, the StartCom new website -
> www.startssl.com moved to USA IDC that designed by StartCom Chinese
> R&D team. From that time StartCom shared many facilities with WoSign
> in Qihoo 360 IDC for security. But still two separate system
> including BUY/CMS/PKI,

You say the systems are "separate". But are they running the same
WoSign-created codebase? Or is StartCom still using the systems it was
using before Dec 20th 2015?

Gerv

[Richard Wang]

For StartCom issues, I think Eddy and Inigo can answer your question that I represent WoSign only.

As I know the new buy website: www.startssl.com is developed by StartCom China R&D team, it posts the order to PKI system that still in Israeli office equipment room.
The website is hosed in USA, WoSign website is hosted in China that we designed it since 2011, two separate system.

StartCom Hong Kong invested a separate company in China, they have R&D team and customer service team. The validation team is in UK and Israel, and will be in Spain.

Best Regards,

Richard

-----Original Message-----
From: Gervase Markham [mailto:ge...@mozilla.org]
Sent: Friday, September 23, 2016 6:04 PM
To: Richard Wang <ric...@wosign.com>; Peter Bowen <pzb...@gmail.com>; mozilla-dev-s...@lists.mozilla.org
Subject: Re: WoSign and StartCom audit reports

On 23/09/16 10:56, Richard Wang wrote:

> Yes, 100% independent in 2015. So please don't tie two companies
> together for anything happened in 2015, thanks.

Oh, I see what you mean. :-)

> From Dec. 20th - 22nd 2015, the StartCom new website -
> www.startssl.com moved to USA IDC that designed by StartCom Chinese
> R&D team. From that time StartCom shared many facilities with WoSign
> in Qihoo 360 IDC for security. But still two separate system
> including BUY/CMS/PKI,

[Eddy Nigg]

On 09/23/2016 05:53 AM, Peter Bowen wrote:
> Review of StartCom audit reports
> for the period 1 January 2015 to 31 December 2015
>
> Good:
> - Uses AICPA standards
> - Uses current criteria versions
>
> Bad:
> - Only covers two roots, not subordinate CAs (true for all three
> reports: CA, BR, and EV)
> - Does not provide assurance that subordinate CA certificate requests
> are accurate, authenticated, and approved
> - Does not provide assurance that it meets the Network and Certificate
> System Security Requirements as set forth by the CA/Browser Forum

Speaking only for StartCom here, as far as I know and as per auditing
standards, all intermediate CAs are audited (no external intermediates
existed).

As to network security, I believe this is part of the Baseline
Requirements audit. But if necessary I can ask our auditors and also
WebTrust directly if there is really missing something. I assume that
all is included, covered and implied, but should a mistake have happened
in the statements made by the auditors I'm sure we can get a corrected
statement or explanation.

--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: star...@startcom.org <xmpp:star...@startcom.org>

[Peter Bowen]

On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg <eddy...@startcom.org> wrote:
> On 09/23/2016 05:53 AM, Peter Bowen wrote:
>>

>> Review of StartCom audit reports
>> for the period 1 January 2015 to 31 December 2015
>>
>> Good:
>> - Uses AICPA standards
>> - Uses current criteria versions
>>
>> Bad:
>> - Only covers two roots, not subordinate CAs (true for all three
>> reports: CA, BR, and EV)
>> - Does not provide assurance that subordinate CA certificate requests
>> are accurate, authenticated, and approved
>> - Does not provide assurance that it meets the Network and Certificate
>> System Security Requirements as set forth by the CA/Browser Forum
>
>
>

> Speaking only for StartCom here, as far as I know and as per auditing
> standards, all intermediate CAs are audited (no external intermediates
> existed).
>
> As to network security, I believe this is part of the Baseline Requirements
> audit. But if necessary I can ask our auditors and also WebTrust directly if
> there is really missing something. I assume that all is included, covered
> and implied, but should a mistake have happened in the statements made by
> the auditors I'm sure we can get a corrected statement or explanation.

I'm super happy that this was all checked. I know other auditors have
re-issued opinion letters when they missed things unintentionally.
Maybe you could ask EY to reissue to include the list of SubCAs and
the full coverage. I noticed EY Israel got added back to the WebTrust
site, after being unintentionally dropped during the update to remove
non-CA auditors, so that should also enable posting it to the seal
archive.

One other question on your report: It says the services were provided
at Eilat, Israel during the period Jan 1, 2015 to Dec 31, 2015.
Richard said in an email a few hours ago that the StartCom validation
team was also in the UK. Did that team not spin up until January 2016
or later?

Thanks,
Peter

[Eddy Nigg]

On 09/23/2016 10:11 PM, Peter Bowen wrote:
> On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg <eddy...@startcom.org> wrote:
>> Speaking only for StartCom here, as far as I know and as per auditing
>> standards, all intermediate CAs are audited (no external intermediates
>> existed).
>>
>> As to network security, I believe this is part of the Baseline Requirements
>> audit. But if necessary I can ask our auditors and also WebTrust directly if
>> there is really missing something. I assume that all is included, covered
>> and implied, but should a mistake have happened in the statements made by
>> the auditors I'm sure we can get a corrected statement or explanation.
> I'm super happy that this was all checked. I know other auditors have
> re-issued opinion letters when they missed things unintentionally.
> Maybe you could ask EY to reissue to include the list of SubCAs and
> the full coverage.

Traditionally the intermediate CA certificates were never listed
explicit, at least in our audit reports. Intermediate CA certificates
can change more frequently and I assume that's the reason for it.

I don't like to bother them unnecessarily, but should Mozilla come to
the conclusion that something was indeed missing, I'll go and get it
from them.

> One other question on your report: It says the services were provided
> at Eilat, Israel during the period Jan 1, 2015 to Dec 31, 2015.
> Richard said in an email a few hours ago that the StartCom validation
> team was also in the UK. Did that team not spin up until January 2016
> or later?

The UK team was trained and started to work much later in 2016. Besides
that some of the Israeli personnel is until this very date still in the
UK overseeing the operation there.

But what the audit concerns, this is not part of the 2015 report, that's
correct.