[cabfpub] Fwd: [CABFORUM] Questions on the network &certificate system security requirements

Rob Stradling rob.stradling at comodo.com
Mon Aug 24 10:30:11 UTC 2015

On 21/08/15 18:13, Adam Langley wrote:
> On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
>> That being said, CDNs still need to meet security
>> standards because they provide status information to end users.  One might
>> expect auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16
>> reports, and that CAs should be requesting copies of those from CDNs on an
>> annual basis.
> On that basis, aren't all servers that perform OCSP stapling
> "provid[ing] status information to end users" and thus subject to the
> same requirements?

Similarly, aren't all clients that process OCSP responses (obtained 
either via OCSP stapling or directly from an OCSP Responder) 
"provid[ing] status information to end users" ?

> Cheers

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list