[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

Ben Wilson ben.wilson at digicert.com
Fri Aug 21 17:24:36 UTC 2015


It might be good for a working group to write up the security expectations of CDNs based on a threat-risk assessment.   

-----Original Message-----
From: Adam Langley [mailto:agl at google.com] 
Sent: Friday, August 21, 2015 11:13 AM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: Ryan Sleevi <sleevi at google.com>; CABFPub <public at cabforum.org>; Peter Bowen <pzbowen at gmail.com>
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
> That being said, CDNs still need to meet security standards because 
> they provide status information to end users.  One might expect 
> auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16 
> reports, and that CAs should be requesting copies of those from CDNs 
> on an annual basis.

On that basis, aren't all servers that perform OCSP stapling "provid[ing] status information to end users" and thus subject to the same requirements?


Cheers

AGL
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150821/eb28c201/attachment-0001.p7s>


More information about the Public mailing list