Audit Tax Advisory Grant Thornton LLP 2001 Market Street, Suite 700 Philadelphia, PA 19103-7080 T 215.561.4200 F 215.561.1066 www.grantthornton.com Report of Independent Practitioner To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc. ( Trend Micro ): We have examined Entrust and Trend Micro management s assertions that for their Certification Authority (CA) operations at Santa Clara, California and Norcross, Georgia, USA, throughout the following periods: As to the Root CAs listed on Attachment A for the period April 1, 2016 to June 7, 2016, and As to the Issuing CAs listed on Attachment B and CA operations for the period April 1, 2016 to January 29, 2017, Entrust and Trend Micro have: disclosed their business, key lifecycle management, certificate lifecycle management, and CA environment control practices in Attachment C maintained effective controls to provide reasonable assurance that Entrust and Trend Micro provide their services in accordance with their Certification Practice Statement maintained effective controls to provide reasonable assurance that: o the integrity of keys and certificates they manage is established and protected throughout their lifecycles; o the integrity of subscriber keys and certificates they manage is established and protected throughout their lifecycles; o subscriber information is properly authenticated (for the registration activities performed by Entrust and Trend Micro); and o subordinate CA certificate requests are accurate, authenticated, and approved maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity
based on the WebTrust Principles and Criteria for Certification Authorities v2.0. Entrust s and Trend Micro s management is responsible for its assertions. Our responsibility is to express an opinion on management s assertions based on our examination. We conducted our examination in accordance with standards for attestation engagements established by the American Institute of Certified Public Accountants and, accordingly, included: (1) obtaining an understanding of Entrust s and Trend Micro s key and certificate lifecycle management business practices and their controls over key and certificate integrity, over the authenticity and confidentiality of subscriber and relying party information, over the continuity of key and certificate lifecycle management operations and over development, maintenance and operation of systems integrity; (2) selectively testing transactions executed in accordance with disclosed key and certificate lifecycle management business practices; (3) testing and evaluating the operating effectiveness of the controls; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. The relative effectiveness and significance of specific controls at Entrust and Trend Micro and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of the nature and inherent limitations of controls, Entrust s and Trend Micro s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, throughout the period April 1, 2016 to January 29, 2017, Entrust and Trend Micro management s assertions, as referred to above, are fairly stated, in all material respects, based on the WebTrust Principles and Criteria for Certification Authorities v2.0.
This report does not include any representation as to the quality of Entrust s or Trend Micro s services beyond those covered by the WebTrust Principles and Criteria for Certification Authorities v2.0, nor the suitability of any of Entrust s or Trend Micro s services for any customer's intended purpose. Grant Thornton LLP Philadelphia, Pennsylvania June 30, 2017
ATTACHMENT A LIST OF IN SCOPE ROOT CAs Root CAs AffirmTrust Commercial Serial no: 77:77:06:27:26:A9:B1:7C SHA-1 Thumbprint: F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 AffirmTrust Networking Serial no: 7C:4F:04:39:1C:D4:99:2D SHA-1 Thumbprint: 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F AffirmTrust Premium Valid until: December 31, 2040 Serial no: 6D:8C:14:46:B1:A6:0A:EE SHA-1 Thumbprint: D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 AffirmTrust Premium ECC Valid until: December 31, 2040 Serial no: 74:97:25:8A:C7:3F:7A:54 SHA-1 Thumbprint: B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB ATTACHMENT B LIST OF IN SCOPE ISSUING CAs Issuing CAs [Certificate Type] Trend Micro CA [OV and EV] Serial no: 3D:84:7C:1B:4A:BB:32:02 SHA-1 Thumbprint: 2C:DD:A6:CE:33:E1:FE:7C:1B:05:41:1F:17:A6:66:A7:83:D7:F5:6A Trend Micro S2 CA [OV and EV] Serial no: 5B:46:99:90:EC:75:9D:34 SHA-1 Thumbprint: E2:7C:71:03:AD:E2:D6:F3:40:7E:05:AD:05:28:EE:89:C3:63:6E:85 AffirmTrust Commercial Extended Validation CA [EV] Serial no: 63:1B:F9:0C:8A:B0:2C:81 SHA-1 Thumbprint: 81:2F:ED:60:49:9B:92:C5:A8:06:AD:F7:6B:6C:34:C2:3B:2D:08:57 AffirmTrust Networking Extended Validation CA [EV]
Serial no: 23:90:15:C7:F6:78:80:46 SHA-1 Thumbprint: 29:81:D1:9F:DB:BE:47:39:91:3C:CE:EF:5A:B0:52:E2:D7:77:14:E9 AffirmTrust Premium Extended Validation CA [EV] Valid until: December 31, 2040 Serial no: 0B:CF:CF:37:59:C2:F5:86 SHA-1 Thumbprint: 5B:A0:2E:26:95:0A:40:B3:59:3D:C9:E3:DE:A8:C7:C5:A3:AF:42:C6 AffirmTrust Premium ECC Extended Validation CA [EV] Valid until: December 31, 2040 Serial no: 10:7C:AA:12:EC:D6:8C:54 SHA-1 Thumbprint: 7F:B9:17:9F:3F:78:03:B3:C9:96:45:FE:C8:2F:28:79:26:B9:90:55 Trend Micro Gold CA [OV and EV] Valid until: November 2, 2019 Serial no: 00:84:3C:74:B1:AA:34:86:B1:C4:C7:A0:DF:55:B5:E9 SHA-1 Thumbprint: D3:0A:E0:1F:70:BB:BF:F3:6B:2C:EA:DE:0A:A0:F8:C7:AA:82:21:1C Trend Micro Silver CA [OV and EV] Valid until: November 2, 2019 Serial no: 00:83:55:1B:D2:38:4F:68:E0:42:05:B8:37:D4:8D:87 SHA-1 Thumbprint: 8B:78:C4:59:FB:11:83:BE:10:27:6B:9C:6B:62:30:81:C8:49:36:57 ATTACHMENT C LIST OF AFFIRMTRUST CERTIFICATION PRACTICE STATEMENTS CPS Name Version Date Trend Micro SSL Certification Practice Statement 2.2 18 November 2015 Entrust Trend Micro SSL Certification Practice Statement 2.3 29 April 2016 AffirmTrust Certification Practice Statement 3.0 3 December 2016
Entrust Datacard Corporate Headquarters 1187 Park Place Shakopee, MN 55379 USA ENTRUST MANAGEMENT S ASSERTION Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) operates the Certification Authority (CA) services as enumerated in Attachment A, and provides the following CA services: Subscriber registration Certificate renewal Certificate rekey Certificate issuance Certificate distribution Certificate revocation Certificate validation Subordinate CA certification The management of Entrust is responsible for establishing and maintaining effective controls over its CA operations, including its CA business practices disclosure on its website, CA business practices management, CA environmental controls, CA key lifecycle management controls, subscriber key lifecycle management controls, certificate lifecycle management controls, and subordinate CA certificate lifecycle management controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified. There are inherent limitations in any controls, including the possibility of human error, and the circumvention or overriding of controls. Accordingly, even effective controls can only provide reasonable assurance with respect to Entrust s Certification Authority operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time. Entrust management has assessed its disclosures of its certificate practices and controls over its CA services. Based on that assessment, in Entrust management s opinion, in providing its Certification Authority (CA) services at Santa Clara, California and Norcross, Georgia USA, throughout the period April 29, 2016 to January 29, 2017, Entrust has: disclosed its business, key lifecycle management, certificate lifecycle management, and CA environment control practices in its Certification Practice Statements as enumerated in Attachment B maintained effective controls to provide reasonable assurance that Entrust provides its services in accordance with its Certification Practices Statements
maintained effective controls to provide reasonable assurance that: o the integrity of keys and certificates it manages is established and protected throughout their lifecycles; o the integrity of subscriber keys and certificates it manages is established and protected throughout their lifecycles; o subscriber information is properly authenticated (for the registration activities performed by Entrust); and o subordinate CA certificate requests are accurate, authenticated, and approved maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity based on the WebTrust Principles and Criteria for Certification Authorities v2.0, including the following: CA Business Practices Disclosure Certification Practice Statement (CPS) CA Business Practices Management Certification Practice Statement Management CA Environmental Controls Security Management Asset Classification and Management Personnel Security Physical & Environmental Security Operations Management System Access Management System Development and Maintenance Business Continuity Management Monitoring and Compliance Audit Logging
CA Key Lifecycle Management Controls CA Key Generation CA Key Storage, Backup, and Recovery CA Public Key Distribution CA Key Usage CA Key Archival and Destruction CA Key Compromise CA Cryptographic Hardware Lifecycle Management Certificate Lifecycle Management Controls Subscriber Registration Certificate Renewal Certificate Rekey Certificate Issuance Certificate Distribution Certificate Revocation Certificate Validation Subordinate CA Certificate Lifecycle Management Controls Subordinate CA Certificate Lifecycle Management Very truly yours, Kirk R. Hall Director Policy and Compliance SSL June 30, 2017
ATTACHMENT A LIST OF IN SCOPE ROOT CAs Root CAs AffirmTrust Commercial Serial no: 77:77:06:27:26:A9:B1:7C SHA-1 Thumbprint: F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 AffirmTrust Networking Serial no: 7C:4F:04:39:1C:D4:99:2D SHA-1 Thumbprint: 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F AffirmTrust Premium Valid until: December 31, 2040 Serial no: 6D:8C:14:46:B1:A6:0A:EE SHA-1 Thumbprint: D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 AffirmTrust Premium ECC Valid until: December 31, 2040 Serial no: 74:97:25:8A:C7:3F:7A:54 SHA-1 Thumbprint: B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB ATTACHMENT B LIST OF AFFIRMTRUST CERTIFICATION PRACTICE STATEMENTS CPS Name Version Date Entrust Trend Micro SSL Certification Practice Statement 2.3 29 April 2016 AffirmTrust Certification Practice Statement 3.0 3 December 2016