Report of Independent Accountants

Transcription

1 EY Bermuda Ltd. 3 Bermudiana Road Hamilton HM08, Bermuda P.O. Box HM 463 Hamilton, HM BX, Bermuda Tel: Fax: Report of Independent Accountants To the Management of QuoVadis Limited We have examined the assertion by the management of QuoVadis Limited (QuoVadis) that in providing its Certification Authority (CA) services at Bermuda; the Netherlands; Switzerland; the United Kingdom; Belgium and Germany, QuoVadis, during the period from 1 January 2016 through 31 December 2016, has: disclosed its Business, Key Life Cycle Management, Certificate Life Cycle Management, and CA Environmental Control practices in its Certificate Practice Statement, and Certificate Policy: for the QuoVadis Root CA, QuoVadis Root CA 1 G3, QuoVadis Root CA 3, and QuoVadis Root CA 3 G3, in the QuoVadis Certificate Policy/Certification Practice Statement, version 4.19; for the QuoVadis Root CA 2, QuoVadis Root CA 2 G3, in the QuoVadis Root CA2 CP/CPS, version maintained effective controls to provide reasonable assurance that: QuoVadis Certificate Practice Statement was is consistent with its Certificate Policy; and QuoVadis provided its services in accordance with its Certificate Policy and Certificate Practice Statement maintained effective controls to provide reasonable assurance that: the integrity of keys and certificates it manages was established and protected throughout their life cycles; the integrity of subscriber keys and certificates it manages was established and protected throughout their life cycles; Subscriber information was properly authenticated (for the registration activities performed by QuoVadis); and subordinate CA certificate requests were accurate, authenticated, and approved maintained effective controls to provide reasonable assurance that: logical and physical access to CA systems and data was restricted to authorized individuals; the continuity of key and certificate management operations was maintained; and CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity for the QuoVadis Root CA, QuoVadis Root CA 1 G3, QuoVadis Root CA 2, QuoVadis Root CA 2 G3, QuoVadis Root CA 3, QuoVadis Root CA 3 G3, and the issuing CAs listed in Appendix A to Assertion of Management in accordance with the Trust Service Principles and Criteria for Certification Authorities Version

2 QuoVadis' management is responsible for its assertion. Our responsibility is to express an opinion on management's assertion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants, and accordingly, included (1) obtaining an understanding of QuoVadis' key and certificate life cycle management business practices and its controls over key and certificate integrity, over the authenticity and confidentiality of subscriber and relying party information, over the continuity of key and certificate life cycle management operations, and over development, maintenance and operation of systems integrity; (2) selectively testing transactions executed in accordance with disclosed key and certificate life cycle management business practices; (3) testing and evaluating the operating effectiveness of the controls; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. The relative effectiveness and significance of specific controls at QuoVadis and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of the nature and inherent limitations in controls, QuoVadis ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, for the period 1 January 2016 through 31 December 2016, QuoVadis management's assertion, as set forth in the first paragraph, is fairly stated, in all material respects, based on the Trust Services Principles and Criteria for Certification Authorities Version 2.0. The WebTrust seal of assurance for certification authorities on QuoVadis Web site constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. This report does not include any representation as to the quality of QuoVadis' services beyond those covered by the Trust Services Criteria for Certification Authorities, nor the suitability of any QuoVadis services for any customer's intended purpose. EY Bermuda Ltd. Hamilton, Bermuda 31 March A member firm of Ernst & Young Global Limited

3 Assertion by Management of QuoVadis Limited Regarding Its Disclosure of Its Business Practices and Its Controls Over its Certification Authority Operations During the Period 1 January 2016 through 31 December March 2017 QuoVadis Limited operates as a Certification Authority (CA) known as QuoVadis. QuoVadis, as a Root CA, provides the following certification authority services: Subscriber Key Management Services Subscriber Registration Certificate Renewal Certificate Rekey Certificate Issuance Certificate Distribution Certificate Revocation Certificate Suspension Certificate Status Information Processing Management of QuoVadis is responsible for establishing and maintaining effective controls over its CA operations, including CA business practices disclosure in QuoVadis' Certificate Practice Statement, service integrity (including key and certificate life cycle management controls), and CA environmental controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified. There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls can provide only reasonable assurance with respect to QuoVadis' CA operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time. Management of QuoVadis has assessed the disclosure of its certificate practices and its controls over its CA operations. Based on that assessment, in QuoVadis management's opinion, in providing its CA services at Bermuda, the Netherlands, Switzerland, the United Kingdom, Belgium and Germany, during the period from 1 January 2016 through 31 December 2016: disclosed its Business, Key Life Cycle Management, Certificate Life Cycle Management, and CA Environmental Control practices in its Certificate Practice Statement and Certificate Policy: - for the QuoVadis Root CA, QuoVadis Root CA 1 G3, QuoVadis Root CA 3, and QuoVadis Root CA 3 G3, in the QuoVadis Certificate Policy/Certification Practice Statement, version 4.19; - for the QuoVadis Root CA 2, QuoVadis Root CA 2 G3, in the QuoVadis Root CA2 CP/CPS, version maintained effective controls to provide reasonable assurance that: - QuoVadis Certificate Practice Statement was consistent with its Certificate Policy; and - QuoVadis provided its services in accordance with its Certificate Policy and Certificate Practice Statement.

4 Page 2 Assertion of Management maintained effective controls to provide reasonable assurance that: - the integrity of keys and certificates it manages was established and protected throughout their life cycles; - the integrity of subscriber keys and certificates it manages was established and protected throughout their life cycles; - Subscriber information was properly authenticated (for the registration activities performed by QuoVadis); and - subordinate CA certificate requests were accurate, authenticated, and approved maintained effective controls to provide reasonable assurance that: - logical and physical access to CA systems and data was restricted to authorized individuals; - the continuity of key and certificate management operations was maintained; and - CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity for the QuoVadis Root CA, QuoVadis Root CA 1 G3, QuoVadis Root CA 2, QuoVadis Root CA 2 G3, QuoVadis Root CA 3, QuoVadis Root CA 3 G3, and the issuing CAs listed in Appendix A in accordance with the Trust Service Principles and Criteria for Certification Authorities Version 2.0, including the following: CA Business Practices Disclosure CA Business Practices Management Certification Practice Statement Management Certificate Policy Management Service Integrity CA Key Life Cycle Management Controls CA Key Generation CA Key Storage, Backup, and Recovery CA Public Key Distribution CA Key Usage CA Key Archival CA Key Destruction CA Key Compromise CA Cryptographic Hardware Life Cycle Management Subscriber Key Life Cycle Management Controls CA-Provided Subscriber Key Generation Services CA-Provided Subscriber Key Storage and Recovery Services Certificate Life Cycle Management Controls Subscriber Registration Certificate Rekey Certificate Issuance Certificate Distribution

5 Page 3 Assertion of Management Certificate Revocation Certificate Suspension Certificate Validation Subordinate CA Certificate Life Cycle Management Controls Subordinate CA Certificate Life Cycle Management CA Environmental Controls Security Management Asset Classification and Management Personnel Security Physical and Environmental Security Operations Management System Access Management Systems Development and Maintenance Business Continuity Management Monitoring and Compliance Audit Logging Very truly yours, Stephen Davidson Director QuoVadis Limited

6 Appendix A to Assertion of Management Distinguished name CN = QuoVadis Root Certification Authority OU = Root Certification Authority CN = QuoVadis Root CA 1 G3 CN = QuoVadis Root CA 2 CN = QuoVadis Root CA 2 G3 CN = QuoVadis Root CA 3 CN = QuoVadis Root CA 3 G3 CN = DarkMatter High Assurance CA O = DarkMatter LLC C = AE CN = DarkMatter Secure CA O = DarkMatter LLC C = AE CN = DarkMatter Assured CA O = DarkMatter LLC C = AE CN = Bayerische SSL-CA A45EDE3BBBF09C8AE15C72EFC07268D693A21C996FD51E67CA079460FD6D8873 8A866FD1B276B57E578E921C65828A2BED58E9F2F B7F1F4BFC9CC74 85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86 8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35 88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D C5D8B8690F46 E0A670F4F1057E9179E9DB45E333CE37E3EE31C3499F1C584A587BD9A5F53640 A019811E4369CA4C62AAA80A E60F6C5CED383AF9D79DF8F8F193F1DFE 60F066DC78A4E2E929A1C8ED102EDB707DF03181F82FDF50D53A52DAC355C65B 8E6930D78A139F A5946EF9FE3A77399B2FD0CEBB0B2ED08EE18A1D758

7 Distinguished name CN = Bayerische SSL-CA CN = Bayerische SSL-CA CN = Bayerische SSL-CA CN = Bayerische SSL-CA CN = Bayerische SSL-CA CN = LLB Root CA public v2 O = Liechtensteinische Landesbank AG C = LI CN = Suva Root CA 1 O = Suva S = Luzern CN = BEKB - BCBE Issuing CA O = Berner Kantonalbank AG CN = BEKB - BCBE Issuing CA G2 O = Berner Kantonalbank AG 43DB658DD4E4020F8B5C6BD7107E15E233459A226CD0D77EF8F72B2B1CC29AFE 01FD B3AE149252FC CE FF912892E19835A1E4C F878B3DF213B0817BFF1E5EF4E8CD7C9B57C80FFC9F8A7309EA46AAF540BAE18 D852DE5D098086DFE9A6F3D728D C489DE675753D272374A5D6E9FC 806A2AA77EDBD3C76D8FD066DFB5CC3310F359B0102CE92C0FAEC16AA43FFF0A C6B72526AF45D68AE16671E9F1C D938F8F0447E1106E2F2A70D3AD21 C1E45348D714CB47DBB2C0B9BAF9BA1F27E420047CDA7A8B CAAB97 4BBAC72E34D608071C598BBCD9EA D65B0163B420AB1737A65DACD0071 B399EFE42C01A05BDC A78E FB11C1B6B426C419A0FC73911

8 Distinguished name CN = FMH CA G1 O = FMH Verbindung der Schweizer Ärztinnen und Ärzte CN = FMH CA G2 O = FMH Verbindung der Schweizer Ärztinnen und Ärzte CN = HIN Health Info Net CA O = Health Info Net AG CN = HydrantID Client ICA O = HydrantID (Avalanche Cloud Corporation) C = US CN = HydrantID EV SSL ICA G1 O = HydrantID (Avalanche Cloud Corporation) C = US CN = HydrantID SSL ICA O = HydrantID (Avalanche Cloud Corporation) C = US CN = HydrantID SSL ICA G2 O = HydrantID (Avalanche Cloud Corporation) C = US CN = QuoVadis Belgium Issuing CA G1 O = QuoVadis Trustlink BVBA C = BE CN = QuoVadis Belgium Issuing CA G2 O = QuoVadis Trustlink BVBA = NTRBE C = BE CN = QuoVadis Swiss Advanced CA O = QuoVadis Trustlink Switzerland Ltd. A0AF1418CD14F6B2415EC6316C7D588BB25D430A3D6D026F57DE20F965EABDDC B968FBFC3ECA285AADC38D FF7D3733F1278F8A4F50ECC8C0EF1E80 479F4E101F A34CBADBC09E5F0523B35EE3839EB4B EF8463 2EEE91CC892A16CCB7320CDED2AE4948C052345D6B24E214C24EB93932D10DD9 80FDE428212AF0CA0AC531EEE6ED2DF3D3C2A4557DFCE857070FC947922E9B24 B145DCFAC E868E986A093B0F4D4DD235A7303DA77D6A1D19F5F6D76FC 9C6D FBF2B12540B67CC0E4C9666F132E A717CBAE8F3FD6 27EBACD86DD3BF86143DA A57CF3FA414D40A86E669C3F4F1D8CF24 D90B D B1B9A2F6A9E23B45FE121FEF514A1C9DF70A815AD95C 235C96A2E2DA557B904E90F3A0CAA57EABB4BDB5F401969DA8C282F F

9 Distinguished name CN = QuoVadis Swiss Advanced CA G2 O = QuoVadis Trustlink Switzerland Ltd. CN = QuoVadis Code Signing CA G1 CN = QuoVadis ElDI-V CA G1 O = QuoVadis Trustlink Switzerland Ltd. CN = QuoVadis Enterprise Trust CA 1 G3 CN = QuoVadis Enterprise Trust CA 2 G3 CN = QuoVadis Enterprise Trust CA 3 G3 CN = QuoVadis EU Issuing Certification Authority, Bermuda C = NL CN = QuoVadis EU Issuing Certification Authority G2 O = QuoVadis Trustlink B.V. C = NL CN = QuoVadis EU Issuing Certification Authority G3 O = QuoVadis Trustlink B.V. C = NL CN = QuoVadis EU Issuing Certification Authority G4 O = QuoVadis Trustlink B.V = NTRNL C = NL 5044F65E1042CD380B0B9997E F0DEEF7873DA72EFDB6F02474AE37EBE DA0AFAF15CD300E34B520FB78A4FA68EB42C4601E939B903E0B1D71DF5965BFF 393E95D3AE5233A04FEFE058BA8F445132D30E4362D5F B34D2C 0531C86F FDC539924D395D1EFA409364E6827D3AB FFB27B0 174E1DE77C8D93C68ECD2BD2EA6E191B584DB850277A834AAC898B7C80A91C70 DA A0C2E9852A86186B CDCA6AE21F09F713CA6ACCDD1F1 EC50E7E17D C8B CED68BBB1BD79EDDC61DBD298CEA5BA0FB862 EC3F940A48EF7CBCEA4142F735A5DF2976DB38183D9033C76B78E25F8F53EB5B ADDFFA6FD0809A54A9F0B31FD25F74BF7F2D7AE11C80FD99DAA0FB603A65CD0E 0DD D83FCE9F9DCA7B5CC44ED318EDD EA893877EA52DE11E

10 Distinguished name CN = QuoVadis EU Qualified Issuing Certification Authority, Bermuda C = NL CN = QuoVadis Europe SSL CA G1 O = QuoVadis Trustlink BVBA C = BE CN = QuoVadis EV SSL ICA G1 CN = QuoVadis EV SSL ICA G3 CN = QuoVadis Grid ICA CN = QuoVadis Grid ICA G2 CN = QuoVadis Issuing CA 1 G3 CN = QuoVadis Issuing CA 3 G3 CN = QuoVadis Issuing CA G3 CN = QuoVadis Issuing CA G4 7627A1A376167F0DE7523B3D65342A584BF4C84C3C9BEE499D0660B416F42130 DC8B2DEE50DD478AB135CAC269CEA A9129ABCD98DF5213B23DBFB3CD 3FE8BE392A08684B99F497E618C7DDF5A02A4289BF9D08E BFBA814F F18442BEDF70B4D C72B659332BED03FFD3BBA7AFAAABE6DE9D E9E70DC1FFF21FC813649F5DAF5FCE3A244DE6B43D691B10DDA262DC0B7 74CE8C1631EF9F38E7A4197DA3F5474DBC34F001F2967C25B BCC8C9D4 67E1EED26F7285E02BB794763FDCEF91E5B63AABD2D67D F61122DD85 C12DD0347C0D4AA25D3986E C5363A6B7EC32A49C5D18B9D56B075E368 15CE DCB35AA7B35FC168EBBB3BC2EC4696A8C795FC5C E0A7 DA3BC81005FDBB853D681A7E942661AEBA EAF52221F28514C09CB

11 Distinguished name CN = QuoVadis Qualified Issuing Certification Authority 1, Bermuda CN = QuoVadis SuisseID Advanced CA O = QuoVadis Trustlink Switzerland Ltd. CN = QuoVadis SuisseID Qualified CA O = QuoVadis Trustlink Switzerland Ltd. CN = QuoVadis Global SSL ICA OU = CN = QuoVadis Global SSL ICA G2 CN = QuoVadis Global SSL ICA G3 CN = Bayerische SSL-CA CN = Bayerische SSL-CA CN = Bayerische SSL-CA F2CBD8DB5FD908D6FBA75F21597A27712AA23A590BB838964B9AC13F37008F9 5DDAB0A802D83893AC0EDF9B30A620411B1A74A8B7D411A6A7AD7DC46EB1C8C8 5B7017B80F97C621AF1163B04BEBAFD2F932A42B85F4B9FEC71B38609F D48006AC4AE56D8467B01EEFB0C7C58F3BC9697B8A1C1CB45F5E3717A02DFC4D A4879EC0F36CF84B6F2ED87AE57EE3B94A0785C CD D152EB18 CAB9C12DBDE3AD5D2BC0201B54B18BE209CD5E146AAA085ABBDF241B096DFF47 E8CA72ECB9885C24EA29DE0EAC D2A1E59B66666D327FB0CC6BDD912F 33CD537E009DB9C758A568435C06706F9F E20B9DDC93E AA6B FF1DD21F1A5D0B452CD969CF4AA553835CABE0293C6C7B009F145AA202C02C8B

12 Distinguished name CN = Bayerische SSL-CA D6563E0433B1EDCEE7CCC5D9C2AAD8EBA12BCB BB4EF8EAF799