[cabfpub] Fwd: [CABFORUM] Questions on the network &certificate system security requirements
rob.stradling at comodo.com
Mon Aug 24 10:30:11 UTC 2015
On 21/08/15 18:13, Adam Langley wrote:
> On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
>> That being said, CDNs still need to meet security
>> standards because they provide status information to end users. One might
>> expect auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16
>> reports, and that CAs should be requesting copies of those from CDNs on an
>> annual basis.
> On that basis, aren't all servers that perform OCSP stapling
> "provid[ing] status information to end users" and thus subject to the
> same requirements?
Similarly, aren't all clients that process OCSP responses (obtained
either via OCSP stapling or directly from an OCSP Responder)
"provid[ing] status information to end users" ?
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public