[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements
ben.wilson at digicert.com
Fri Aug 21 17:24:36 UTC 2015
It might be good for a working group to write up the security expectations of CDNs based on a threat-risk assessment.
From: Adam Langley [mailto:agl at google.com]
Sent: Friday, August 21, 2015 11:13 AM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: Ryan Sleevi <sleevi at google.com>; CABFPub <public at cabforum.org>; Peter Bowen <pzbowen at gmail.com>
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements
On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
> That being said, CDNs still need to meet security standards because
> they provide status information to end users. One might expect
> auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16
> reports, and that CAs should be requesting copies of those from CDNs
> on an annual basis.
On that basis, aren't all servers that perform OCSP stapling "provid[ing] status information to end users" and thus subject to the same requirements?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4954 bytes
Desc: not available
More information about the Public