To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

Similar documents
To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

REPORT OF THE INDEPENDENT ACCOUNTANT

Report of Independent Accountants

Management Assertion Logius 2013

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

Independent Accountant s Report

Independent Accountant s Report

Report of Independent Accountants

Report of Independent Accountants

Independent Accountant s Report

Independent Accountant s Report

שרוני - שפלר ושות' רואי חשבון

Independent Certified Public Accountant s Report

Period from October 1, 2013 to September 30, 2014

Telia CA response to Public WebTrust Audit observations 2018

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

EXPOSURE DRAFT. Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Certificate Policy for the Chunghwa Telecom ecommerce Public Key Infrastructure. Version 1.5

SERVICE ORGANIZATION CONTROL 3 REPORT

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Bugzilla ID: Bugzilla Summary:

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

THE BUSINESS VALUE OF EXTENDED VALIDATION

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Transitioning from SAS 70 to SSAE 16

CERTIFICATE POLICY CIGNA PKI Certificates

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

SOC 3 for Security and Availability

Apple Inc. Certification Authority Certification Practice Statement

CSF to Support SOC 2 Repor(ng

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Audit Considerations Relating to an Entity Using a Service Organization

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

DECISION OF THE EUROPEAN CENTRAL BANK

Dark Matter L.L.C. DarkMatter Certification Authority

CA/Browser Forum Meeting

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

OISTE-WISeKey Global Trust Model

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

SSL/TSL EV Certificates

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Independent Assurance Statement

Technical Trust Policy

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Information for entity management. April 2018

SOC Reporting / SSAE 18 Update July, 2017

Introduction of the Identity Assurance Framework. Defining the framework and its goals

ISACA Cincinnati Chapter March Meeting

IT Security Evaluation and Certification Scheme Document

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

SOC for cybersecurity

Apple Inc. Certification Authority Certification Practice Statement

Comparison of Electronic Signature between Europe and Japan: Possibiltiy of Mutual Recognition

Please the completed POL to the following address:

Symantec Trust Network (STN) Certificate Policy

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

QUALIFYING ATTESTATION LETTER

thawte Certification Practice Statement Version 3.4

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

QUALIFYING ATTESTATION LETTER

Meeting the Meaningful Use Security and Privacy Measure

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Timber Products Inspection, Inc.

Adopting SSAE 18 for SOC 1 reports

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Wescom Solutions, Inc. Practitioner Engagement Android Version CFR EPCS Certification Report

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

GlobalSign Certificate Policy

Audit Attestation for. T-Systems International GmbH

GlobalSign Certification Practice Statement

International Standard on Auditing (Ireland) 505 External Confirmations

Indonesia - SNI Certification Service Terms

Achieving third-party reporting proficiency with SOC 2+

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

Demonstrating data privacy for GDPR and beyond

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

FPKIPA CPWG Antecedent, In-Person Task Group

Candidate Brochure. V15.1a. American Society of Professional Estimators 2525 Perimeter Place Dr., Ste. 103 Nashville, TN 37214

IT Attestation in the Cloud Era

Ethics for Virginia CPAs

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Physical Security Reliability Standard Implementation

10/12/17. CPA Alberta Professional and Public Accounting Practice Varied Registration Model CPA FORUM NORTH OCTOBER 23 RD, 2017 JASPER, ALBERTA

June 2009 Addendum to the Comodo EV Certification Practice Statement v.1.03

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Information Technology Branch Organization of Cyber Security Technical Standard

Article II - Standards Section V - Continuing Education Requirements

NZQA registered unit standard 8086 version 7 Page 1 of 5. Demonstrate knowledge required for quality auditing

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Transcription:

Audit Tax Advisory Grant Thornton LLP 2001 Market Street, Suite 700 Philadelphia, PA 19103-7080 T 215.561.4200 F 215.561.1066 www.grantthornton.com Report of Independent Practitioner To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc. ( Trend Micro ): We have examined Entrust and Trend Micro management s assertions that for their Certification Authority (CA) operations at Santa Clara, California and Norcross, Georgia, USA, throughout the following periods: As to the Root CAs listed on Attachment A for the period April 1, 2016 to June 7, 2016, and As to the Issuing CAs listed on Attachment B and CA operations for the period April 1, 2016 to January 29, 2017, Entrust and Trend Micro have: disclosed its extended validation SSL ( EV SSL ) certificate lifecycle management business practices in their Certificate Practices Statements as enumerated in Attachment C, including their commitment to provide EV SSL certificates in conformity with the CA/Browser Forum Guidelines on the AffirmTrust website, and provided such services in accordance with their disclosed practices maintained effective controls to provide reasonable assurance that: o the integrity of keys and EV SSL certificates it manages is established and protected throughout their lifecycles; and o EV SSL subscriber information is properly authenticated (for the registration activities performed by Entrust and Trend Micro) based on the WebTrust Principles and Criteria for Certification Authorities Extended Validation SSL v1.4.5. Entrust s and Trend Micro s management is responsible for its assertions. Our responsibility is to express an opinion on management s assertions based on our examination. We conducted our examination in accordance with standards for attestation engagements established by the American Institute of Certified Public Accountants and, accordingly, included:

(1) obtaining an understanding of Entrust s and Trend Micro s EV SSL certificate lifecycle management business practices, including its relevant controls over the issuance, renewal, and revocation of EV SSL certificates; (2) selectively testing transactions executed in accordance with disclosed EV SSL certificate lifecycle management practices; (3) testing and evaluating the operating effectiveness of the controls; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. The relative effectiveness and significance of specific controls at Entrust and Trend Micro and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of the nature and inherent limitations of controls, Entrust s and Trend Micro s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, throughout the period April 1, 2016 to January 29, 2017, Entrust and Trend Micro management s assertions, as referred to above, are fairly stated, in all material respects, based on the WebTrust Principles and Criteria for Certification Authorities Extended Validation SSL v1.4.5. This report does not include any representation as to the quality of Entrust s and Trend Micro s services beyond those covered by the WebTrust Principles and Criteria for Certification Authorities Extended Validation SSL v1.4.5, nor the suitability of any of Entrust s or Trend Micro s services for any customer's intended purpose. Grant Thornton LLP Philadelphia, Pennsylvania June 30, 2017

ATTACHMENT A LIST OF IN SCOPE ROOT CAs Root CAs AffirmTrust Commercial Serial no: 77:77:06:27:26:A9:B1:7C SHA-1 Thumbprint: F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 AffirmTrust Networking Serial no: 7C:4F:04:39:1C:D4:99:2D SHA-1 Thumbprint: 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F AffirmTrust Premium Serial no: 6D:8C:14:46:B1:A6:0A:EE SHA-1 Thumbprint: D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 AffirmTrust Premium ECC Serial no: 74:97:25:8A:C7:3F:7A:54 SHA-1 Thumbprint: B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB ATTACHMENT B LIST OF IN SCOPE ISSUING CAs Issuing CAs [Certificate Type] Trend Micro CA [OV and EV] Serial no: 3D:84:7C:1B:4A:BB:32:02 SHA-1 Thumbprint: 2C:DD:A6:CE:33:E1:FE:7C:1B:05:41:1F:17:A6:66:A7:83:D7:F5:6A Trend Micro S2 CA [OV and EV] Serial no: 5B:46:99:90:EC:75:9D:34 SHA-1 Thumbprint: E2:7C:71:03:AD:E2:D6:F3:40:7E:05:AD:05:28:EE:89:C3:63:6E:85 AffirmTrust Commercial Extended Validation CA [EV] Serial no: 63:1B:F9:0C:8A:B0:2C:81 SHA-1 Thumbprint: 81:2F:ED:60:49:9B:92:C5:A8:06:AD:F7:6B:6C:34:C2:3B:2D:08:57 AffirmTrust Networking Extended Validation CA [EV] Serial no: 23:90:15:C7:F6:78:80:46 SHA-1 Thumbprint: 29:81:D1:9F:DB:BE:47:39:91:3C:CE:EF:5A:B0:52:E2:D7:77:14:E9

AffirmTrust Premium Extended Validation CA [EV] Serial no: 0B:CF:CF:37:59:C2:F5:86 SHA-1 Thumbprint: 5B:A0:2E:26:95:0A:40:B3:59:3D:C9:E3:DE:A8:C7:C5:A3:AF:42:C6 AffirmTrust Premium ECC Extended Validation CA [EV] Serial no: 10:7C:AA:12:EC:D6:8C:54 SHA-1 Thumbprint: 7F:B9:17:9F:3F:78:03:B3:C9:96:45:FE:C8:2F:28:79:26:B9:90:55 Trend Micro Gold CA [OV and EV] Valid until: November 2, 2019 Serial no: 00:84:3C:74:B1:AA:34:86:B1:C4:C7:A0:DF:55:B5:E9 SHA-1 Thumbprint: D3:0A:E0:1F:70:BB:BF:F3:6B:2C:EA:DE:0A:A0:F8:C7:AA:82:21:1C Trend Micro Silver CA [OV and EV] Valid until: November 2, 2019 Serial no: 00:83:55:1B:D2:38:4F:68:E0:42:05:B8:37:D4:8D:87 SHA-1 Thumbprint: 8B:78:C4:59:FB:11:83:BE:10:27:6B:9C:6B:62:30:81:C8:49:36:57 ATTACHMENT C LIST OF AFFIRMTRUST CERTIFICATION PRACTICE STATEMENTS CPS Name Version Date Trend Micro SSL Certification Practice Statement 2.2 18 November 2015 Entrust Trend Micro SSL Certification Practice Statement 2.3 29 April 2016 AffirmTrust Certification Practice Statement 3.0 3 December 2016

Entrust Datacard Corporate Headquarters 1187 Park Place Shakopee, MN 55379 USA ENTRUST MANAGEMENT S ASSERTION Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) operates the Certification Authority (CA) services known as AffirmTrust from roots and Subordinate CAs as enumerated in Attachment A, and provides Extended Validation SSL ( EV SSL ) CA services. The management of Entrust is responsible for establishing and maintaining effective controls over its EV SSL CA operations, including its EV SSL CA business practices disclosure on its website, EV SSL key lifecycle management controls, and EV SSL certificate lifecycle management controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified. There are inherent limitations in any controls, including the possibility of human error, and the circumvention or overriding of controls. Accordingly, even effective controls can only provide reasonable assurance with respect to Entrust s Certification Authority operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time. Entrust management has assessed its disclosures of its certificate practices and controls over its EV SSL CA services. Based on that assessment, in Entrust management s opinion, in providing its EV SSL Certification Authority (CA) services at Santa Clara, California and Norcross, Georgia US, throughout the period April 29, 2016 to January 29, 2017, Entrust has: disclosed its extended validation SSL ( EV SSL ) certificate lifecycle management business practices in its Certification Practice Statements as enumerated in Attachment B, including its commitment to provide EV SSL certificates in conformity with the CA/Browser Forum Guidelines on the Entrust website, and provided such services in accordance with its disclosed practices maintained effective controls to provide reasonable assurance that: o the integrity of keys and EV SSL certificates it manages is established and protected throughout their lifecycles; and o EV SSL subscriber information is properly authenticated (for the registration activities performed by Entrust)

based on the WebTrust Principles and Criteria for Certification Authorities Extended Validation SSL v1.4.5. Very truly yours, Kirk R. Hall Director Policy and Compliance SSL June 30, 2017

ATTACHMENT A LIST OF IN SCOPE ROOT CAs Root CAs AffirmTrust Commercial Serial no: 77:77:06:27:26:A9:B1:7C SHA-1 Thumbprint: F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 AffirmTrust Networking Serial no: 7C:4F:04:39:1C:D4:99:2D SHA-1 Thumbprint: 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F AffirmTrust Premium Serial no: 6D:8C:14:46:B1:A6:0A:EE SHA-1 Thumbprint: D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 AffirmTrust Premium ECC Serial no: 74:97:25:8A:C7:3F:7A:54 SHA-1 Thumbprint: B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB ATTACHMENT B LIST OF AFFIRMTRUST CERTIFICATION PRACTICE STATEMENTS CPS Name Version Date Entrust Trend Micro SSL Certification Practice Statement 2.3 29 April 2016 AffirmTrust Certification Practice Statement 3.0 3 December 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback