SlideShare a Scribd company logo

Starfield wtbr indp acct opinião e mgmt afirmação final junho 2020

S
Sirlei de Fatima Barreiro Jabali

VENHA ESTOU ESPERANDO VC

Devices & Hardware
1 of 14
Download to read offline
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. 101 S Hanley Rd, #800 St. Louis, MO 63105 Tel: 314-889-1100 Fax: 314-889-1101 www.bdo.com REPORT OF THE INDEPENDENT ACCOUNTANT To the management of Starfield Technologies, LLC (“Starfield”): We have examined Starfield, subsidiary of GoDaddy Inc. (“GoDaddy”), management’s assertion that for its Starfield and GoDaddy Certification Authority (“CA”) operations at Arizona and Virginia, in the United States of America, throughout the period July 1, 2019 to June 30, 2020 for the CAs enumerated in Attachment B in scope for SSL Baseline Requirements and Network Security Requirements, Starfield has: • disclosed its SSL certificate lifecycle management business practices in the applicable versions of its Starfield Certificate Policy and Certification Practice Statement (“CP/CPS”) enumerated in Attachment A, including its commitment to provide SSL certificates in conformity with the CA/Browser Forum Requirements on its repository, and provided such services in accordance with its disclosed practices • maintained effective controls to provide reasonable assurance that: o the integrity of keys and SSL certificates it manages is established and protected throughout their lifecycles; and o SSL subscriber information is properly authenticated • maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity • maintained effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security v2.4.1. Starfield’s management is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion based on our examination. The relative effectiveness and significance of specific controls at Starfield and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls and other factors present at individual subscriber and relying party locations. Our examination did not extend to controls at individual subscriber and relying party locations and we have not evaluated the effectiveness of such controls.
2 Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether management’s assertion is fairly stated, in all material respects. An examination involves performing procedures to obtain evidence about management’s assertion. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of material misstatement of management’s assertion, whether due to fraud or error. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, Starfield’s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion management’s assertion, as referred to above, is fairly stated, in all material respects. Without modifying our opinion, we noted the following other matters during our procedures: Matter Topic Matter 1 Certificate Validation Starfield disclosed in Mozilla Bug #1605804 that their registration authority (RA) system issued 16 DV/OV SSL and 19 EV SSL certificates using domain validation evidence older than allowed by the Baseline Requirements. Starfield revoked all 35 certificates in accordance with the timelines set by the Baseline Requirements. Starfield disclosed in Mozilla Bug #1646226 that its 3% self- audit discovered a bug in their RA system that caused documents used for organization validation to be re-used for longer than the timelines allowed by the Baseline Requirements. This impacted 396 OV SSL certificates. Starfield disclosed in Mozilla Bug #1647030 that when it updated the RA system's BR validation process from 3.2.2.4.6 to 3.2.2.4.18, an improper change was implemented, which resulted in sub-domains being improperly considered validated. Starfield investigated and discovered 454 SSL certificates were impacted and revoked in accordance with the timelines set by the Baseline Requirements. 2 CRL Publication Starfield disclosed in Mozilla Bug #1645832 that during system upgrades, a CRL publishing node was taken down and not properly brought up again. During the system upgrade, monitoring alarms were suppressed and the issue was not discovered until after the existing CRLs expired.
3 Matter Topic Matter 3 Certificate Revocation Starfield disclosed in Mozilla Bug #1639798 and Mozilla Bug #1640310 that it received 14 notices of Subscriber certificate key compromises that took longer than 24 hours after receipt to revoke in violation of the Baseline Requirement. This report does not include any representation as to the quality of Starfield’s services other than its CA operations at Arizona and Virginia, in the United States of America, nor the suitability of any of Starfield’s services for any customer's intended purpose. The World Health Organization classified the COVID-19 outbreak as a pandemic in March 2020. Based on the rapid increase in exposure globally, the gravity or length of the impact of the COVID-19 outbreak cannot be estimated at this time. Starfield’s use of the WebTrust for Certification Authorities – SSL Baseline with Network Security Seal constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. August 6, 2020
4 ATTACHMENT A – CERTIFICATION PRACTICE STATEMENT AND CERTIFICATE POLICY VERSIONS IN-SCOPE Policy Name Policy Version Policy Date Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.4 June 19, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.3 May 26, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.2 March 27, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.1 May 21, 2019
5 ATTACHMENT B – IN-SCOPE CAs FOR SSL BASELINE REQUIREMENTS AND NETWORK SECURITY REQUIREMENTS Root CAs Subject SHA2 Thumbprint Valid From Valid To OU = Go Daddy Class 2 Certification Authority O = The Go Daddy Group, Inc. C = US C3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4 6/29/2004 6/29/2034 CN = Go Daddy Root Certificate Authority - G2 O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA 9/1/2009 12/31/2037 OU = Starfield Class 2 Certification Authority O = Starfield Technologies, Inc. C = US 1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658 6/29/2004 6/29/2034 CN = Starfield Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5 9/1/2009 12/31/2037 CN = Starfield Services Root Certificate OU = http://certificates.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US B5BD2CB79CBD1907298D6BDF4842E516D8C78FA6FC96D25F71AF814E16CC245E 6/2/2008 12/31/2029
6 Cross-Signed Roots Subject SHA2 Thumbprint Valid From Valid To CN = Go Daddy Root Certificate Authority - G2 O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 3A2FBE92891E57FE05D57087F48E730F17E5A5F53EF403D618E5B74D7A7E6ECB 1/1/2014 5/30/2031 CN = Go Daddy Root Certificate Authority - G2 OU = https://certs.godaddy.com/repository/ O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 9BF58967545996194512DB6177151AFE99706AEA3DA36FEEE7AD9F8B3C0507CB 5/3/2011 5/3/2031 CN = Starfield Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 9F43D52E808C20AFF69E02FAAC205AAC684E6975213D6620FAC64BDE5FCAB4BC 1/1/2014 5/30/2031 CN = Starfield Root Certificate Authority - G2 OU = https://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 454040E4969070401CC35BDF7F2A4EBCE5797BB7694AE731D93A8115FD59929C 5/3/2011 5/3/2031 CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US EB159C922A3FC2191475CA20A53816D87A38A1A79A7264789193D2F1F750E85E 1/1/2014 5/30/2031 CN = Starfield Services Root Certificate Authority - G2 OU = https://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US A24B9440F9FCBEBB48C274C03DE7D24C5ED1CA59D2D362F29ED3B457762C75BB 5/3/2011 5/3/2031
7 Cross-Signed Roots Subject SHA2 Thumbprint Valid From Valid To CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 2D12B619A660CEFB013271831D891213FC434E982A21568256CF4E2E86324BEA 8/30/2009 6/28/2034 CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 28689B30E4C306AAB53B027B29E36AD6DD1DCF4B953994482CA84BDC1ECAC996 9/2/2009 6/28/2034
8 Intermediate CAs Subject SHA2 Thumbprint Valid From Valid To serialNumber = 07969287 CN = Go Daddy Secure Certification Authority OU = http://certificates.godaddy.com/repository O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 09ED6E991FC3273D8FEA317D339C02041861973549CFA6E1558F411F11211AA3 11/16/2006 11/16/2026 CN = Go Daddy Secure Certificate Authority - G2 OU = http://certs.godaddy.com/repository/ O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 973A41276FFD01E027A2AAD49E34C37846D3E976FF6A620B6712E33832041AA6 5/3/2011 5/3/2031 serialNumber = 10688435 CN = Starfield Secure Certification Authority OU = http://certificates.starfieldtech.com/repository O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 05A6DB389391DF92E0BE93FDFA4DB1E3CF53903918B8D9D85A9C396CB55DF030 11/16/2006 11/16/2026 CN = Starfield Secure Certificate Authority - G2 OU = http://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 93A07898D89B2CCA166BA6F1F8A14138CE43828E491B831926BC8247D391CC72 5/3/2011 5/3/2031
1 Starfield Technologies, LLC 14455 N Hayden Road Scottsdale, Arizona 85260 Starfield Technologies, LLC (“Starfield”), subsidiary of GoDaddy Inc. (“GoDaddy”), operates the Starfield and GoDaddy Certification Authority (“CA”) services for the CAs enumerated in Attachment B in scope for SSL Baseline Requirements and Network Security Requirements and provides SSL CA services. Starfield management has assessed its disclosures of its certificate practices and controls over its SSL CA services. Based on that assessment, in providing its SSL CA services at Arizona and Virginia, in the United States of America, throughout the period July 1, 2019 to June 30, 2020, Starfield has: x disclosed its SSL certificate lifecycle management business practices in the applicable versions of its Starfield Technologies, LLC Certificate Policy and Certification Practice Statement (“CP/CPS”) enumerated in Attachment A, including its commitment to provide SSL certificates in conformity with the CA/Browser Forum Requirements on its repository, and provided such services in accordance with its disclosed practices x maintained effective controls to provide reasonable assurance that: o the integrity of keys and SSL certificates it manages is established and protected throughout their lifecycles; and o SSL subscriber information is properly authenticated x maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity x maintained effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security v2.4.1. ______________________________________________ Todd Redfoot Chief Privacy & Risk Officer Starfield Technologies, LLC August 6, 2020
2 ATTACHMENT A – CERTIFICATION PRACTICE STATEMENT AND CERTIFICATE POLICY VERSIONS IN-SCOPE Policy Name Policy Version Policy Date Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.4 June 19, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.3 May 26, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.2 March 27, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.1 May 21, 2019

Recommended

RapidSSL Certificate Security for Your Website | RapidSSLOnline
RapidSSL Certificate Security for Your Website | RapidSSLOnlineRapidSSL Certificate Security for Your Website | RapidSSLOnline
RapidSSL Certificate Security for Your Website | RapidSSLOnline
RapidSSLOnline.com
 
Trackment
TrackmentTrackment
Trackment
meaannn
 
The Challenges of Online Trust
The Challenges of Online TrustThe Challenges of Online Trust
The Challenges of Online Trust
Alex Todd
 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to Know
ShyamMishra72
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
Ignyte Assurance Platform
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
Jim Kaplan CIA CFE
 
IRJET- Keep It – A System to Store Certificates and Develop a Profile
IRJET- Keep It – A System to Store Certificates and Develop a ProfileIRJET- Keep It – A System to Store Certificates and Develop a Profile
IRJET- Keep It – A System to Store Certificates and Develop a Profile
IRJET Journal
 
Veteran Owned Small Business Program Overview
Veteran Owned Small Business Program OverviewVeteran Owned Small Business Program Overview
Veteran Owned Small Business Program Overview
Maria Asuelimen, MBA
 

Recommended

RapidSSL Certificate Security for Your Website | RapidSSLOnline
RapidSSL Certificate Security for Your Website | RapidSSLOnlineRapidSSL Certificate Security for Your Website | RapidSSLOnline
RapidSSL Certificate Security for Your Website | RapidSSLOnline
RapidSSLOnline.com
 
Trackment
TrackmentTrackment
Trackment
meaannn
 
The Challenges of Online Trust
The Challenges of Online TrustThe Challenges of Online Trust
The Challenges of Online Trust
Alex Todd
 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to Know
ShyamMishra72
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
Ignyte Assurance Platform
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
Jim Kaplan CIA CFE
 
IRJET- Keep It – A System to Store Certificates and Develop a Profile
IRJET- Keep It – A System to Store Certificates and Develop a ProfileIRJET- Keep It – A System to Store Certificates and Develop a Profile
IRJET- Keep It – A System to Store Certificates and Develop a Profile
IRJET Journal
 
Veteran Owned Small Business Program Overview
Veteran Owned Small Business Program OverviewVeteran Owned Small Business Program Overview
Veteran Owned Small Business Program Overview
Maria Asuelimen, MBA
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
kantarainitiative
 
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
Rea & Associates
 
PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014
Richard Beaton
 
Cyber Security Certifications.pdf
Cyber Security Certifications.pdfCyber Security Certifications.pdf
Cyber Security Certifications.pdf
roguelogics
 
About SOC 2 Compliance
About SOC 2 Compliance About SOC 2 Compliance
About SOC 2 Compliance
roguelogics
 
About SOC 2 Compliance
About SOC 2 Compliance About SOC 2 Compliance
About SOC 2 Compliance
roguelogics
 
How South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threatsHow South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threats
Elasticsearch
 
The Global Fight for Internet Trust
The Global Fight for Internet TrustThe Global Fight for Internet Trust
The Global Fight for Internet Trust
PECB
 
Information security diligence issue 4.5
Information security diligence issue 4.5 Information security diligence issue 4.5
Information security diligence issue 4.5
Reward Gateway
 
Score Report CCNA
Score Report CCNAScore Report CCNA
Score Report CCNA
Md. Safayetul Islam Shipu
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?
Unanet
 
Demystifying SOC 2 Certification: What You Need to Know
Demystifying SOC 2 Certification: What You Need to KnowDemystifying SOC 2 Certification: What You Need to Know
Demystifying SOC 2 Certification: What You Need to Know
ShyamMishra72
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
Pace IT at Edmonds Community College
 
Draganfly Deck January 2022
Draganfly Deck January 2022Draganfly Deck January 2022
Draganfly Deck January 2022
RedChip Companies, Inc.
 
Comptia security-sy0-401
Comptia security-sy0-401Comptia security-sy0-401
Comptia security-sy0-401
pgupta101
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
kantarainitiative
 
3rd Party Risk Assessments
3rd Party Risk Assessments3rd Party Risk Assessments
3rd Party Risk Assessments
Moey
 
100-101 823 clen
100-101 823 clen100-101 823 clen
100-101 823 clen
RONALD GRIMES
 
Symantec Investor Presentation November 2016
Symantec Investor Presentation November 2016Symantec Investor Presentation November 2016
Symantec Investor Presentation November 2016
InvestorSymantec
 
SOC Certification.pdf
SOC Certification.pdfSOC Certification.pdf
SOC Certification.pdf
SIS Certifications Pvt Ltd
 
Imagens esperançosas de2015 151213142241
Imagens esperançosas de2015 151213142241Imagens esperançosas de2015 151213142241
Imagens esperançosas de2015 151213142241
Sirlei de Fatima Barreiro Jabali
 
Apidays19 200125062048
Apidays19 200125062048Apidays19 200125062048
Apidays19 200125062048
Sirlei de Fatima Barreiro Jabali
 

More Related Content

Similar to Starfield wtbr indp acct opinião e mgmt afirmação final junho 2020

EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
Rea & Associates
 
PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014
Richard Beaton
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?
Unanet
 
Draganfly Deck January 2022
Draganfly Deck January 2022Draganfly Deck January 2022
Draganfly Deck January 2022
RedChip Companies, Inc.
 
3rd Party Risk Assessments
3rd Party Risk Assessments3rd Party Risk Assessments
3rd Party Risk Assessments
Moey
 

Similar to Starfield wtbr indp acct opinião e mgmt afirmação final junho 2020 (20)

Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
 
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
EPISODE 1 | Security Wars: A New Goal: CMMC Compliance & Department of Defens...
 
PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014
 
Cyber Security Certifications.pdf
Cyber Security Certifications.pdfCyber Security Certifications.pdf
Cyber Security Certifications.pdf
 
About SOC 2 Compliance
About SOC 2 Compliance About SOC 2 Compliance
About SOC 2 Compliance
 
About SOC 2 Compliance
About SOC 2 Compliance About SOC 2 Compliance
About SOC 2 Compliance
 
How South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threatsHow South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threats
 
The Global Fight for Internet Trust
The Global Fight for Internet TrustThe Global Fight for Internet Trust
The Global Fight for Internet Trust
 
Information security diligence issue 4.5
Information security diligence issue 4.5 Information security diligence issue 4.5
Information security diligence issue 4.5
 
Score Report CCNA
Score Report CCNAScore Report CCNA
Score Report CCNA
 
The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?The CMMC Has Arrived. Are You Ready?
The CMMC Has Arrived. Are You Ready?
 
Demystifying SOC 2 Certification: What You Need to Know
Demystifying SOC 2 Certification: What You Need to KnowDemystifying SOC 2 Certification: What You Need to Know
Demystifying SOC 2 Certification: What You Need to Know
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
 
Draganfly Deck January 2022
Draganfly Deck January 2022Draganfly Deck January 2022
Draganfly Deck January 2022
 
Comptia security-sy0-401
Comptia security-sy0-401Comptia security-sy0-401
Comptia security-sy0-401
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
 
3rd Party Risk Assessments
3rd Party Risk Assessments3rd Party Risk Assessments
3rd Party Risk Assessments
 
100-101 823 clen
100-101 823 clen100-101 823 clen
100-101 823 clen
 
Symantec Investor Presentation November 2016
Symantec Investor Presentation November 2016Symantec Investor Presentation November 2016
Symantec Investor Presentation November 2016
 
SOC Certification.pdf
SOC Certification.pdfSOC Certification.pdf
SOC Certification.pdf
 

More from Sirlei de Fatima Barreiro Jabali

Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...
Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...
Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...
Sirlei de Fatima Barreiro Jabali
 

More from Sirlei de Fatima Barreiro Jabali (20)

Imagens esperançosas de2015 151213142241
Imagens esperançosas de2015 151213142241Imagens esperançosas de2015 151213142241
Imagens esperançosas de2015 151213142241
 
Apidays19 200125062048
Apidays19 200125062048Apidays19 200125062048
Apidays19 200125062048
 
Isvcstillathing final-190204194013
Isvcstillathing final-190204194013Isvcstillathing final-190204194013
Isvcstillathing final-190204194013
 
Theartificialintelligentrush vdef-18102017-171024091237
Theartificialintelligentrush vdef-18102017-171024091237Theartificialintelligentrush vdef-18102017-171024091237
Theartificialintelligentrush vdef-18102017-171024091237
 
Apidays19 200125062048 (1)
Apidays19 200125062048 (1)Apidays19 200125062048 (1)
Apidays19 200125062048 (1)
 
Ai ml-demystified-mwux2017-final-171016011705
Ai ml-demystified-mwux2017-final-171016011705Ai ml-demystified-mwux2017-final-171016011705
Ai ml-demystified-mwux2017-final-171016011705
 
Ol6usznar6ep1hrbnkbq signature-69b8a2529115854f5ef1d60cf111c6e0918e8e42b50824...
Ol6usznar6ep1hrbnkbq signature-69b8a2529115854f5ef1d60cf111c6e0918e8e42b50824...Ol6usznar6ep1hrbnkbq signature-69b8a2529115854f5ef1d60cf111c6e0918e8e42b50824...
Ol6usznar6ep1hrbnkbq signature-69b8a2529115854f5ef1d60cf111c6e0918e8e42b50824...
 
Certificado deconclusao a comunicacao no trabalho em equipe
Certificado deconclusao a comunicacao no trabalho em equipeCertificado deconclusao a comunicacao no trabalho em equipe
Certificado deconclusao a comunicacao no trabalho em equipe
 
Thawte beginners guide_ssl_uk_(1)
Thawte beginners guide_ssl_uk_(1)Thawte beginners guide_ssl_uk_(1)
Thawte beginners guide_ssl_uk_(1)
 
Folderdataprev2016 web
Folderdataprev2016 webFolderdataprev2016 web
Folderdataprev2016 web
 
Primeiros passos com_dropbox
Primeiros passos com_dropboxPrimeiros passos com_dropbox
Primeiros passos com_dropbox
 
Merged document (0612182529) (1)
Merged document (0612182529) (1)Merged document (0612182529) (1)
Merged document (0612182529) (1)
 
Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...
Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...
Microsoft word -_cond._gerais_acidentes_pessoais_contrat_individual_-_final_-...
 
Treasury rule
Treasury ruleTreasury rule
Treasury rule
 
Google privacy policy_pt-br
Google privacy policy_pt-brGoogle privacy policy_pt-br
Google privacy policy_pt-br
 
Primary secondary additional_terms_tou_en_us_20190626
Primary secondary additional_terms_tou_en_us_20190626Primary secondary additional_terms_tou_en_us_20190626
Primary secondary additional_terms_tou_en_us_20190626
 
2019 02-27 nova-previdencia-revisada
2019 02-27 nova-previdencia-revisada2019 02-27 nova-previdencia-revisada
2019 02-27 nova-previdencia-revisada
 
Enviando por email_correspondentes-bancarios(1)
Enviando por email_correspondentes-bancarios(1)Enviando por email_correspondentes-bancarios(1)
Enviando por email_correspondentes-bancarios(1)
 
Resgate do vale_presente_site_cia_toy_11_02_19
Resgate do vale_presente_site_cia_toy_11_02_19Resgate do vale_presente_site_cia_toy_11_02_19
Resgate do vale_presente_site_cia_toy_11_02_19
 
Google privacy policy_pt-br
Google privacy policy_pt-brGoogle privacy policy_pt-br
Google privacy policy_pt-br
 

Recently uploaded

Abortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get CytotecAbortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Obat Aborsi 088980685493 Jual Obat Aborsi
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
tufbav
 
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
gajnagarg
 
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Priya Reddy
 
🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...
🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...
🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...
jabtakhaidam7
 
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in DammamAbortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
ahmedjiabur940
 
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
tufbav
 
一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理
一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理
一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理
uodye
 
🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...
🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...
🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...
Call Girls Mumbai
 
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
wpkuukw
 
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pillsIn Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
Abortion pills in Riyadh +966572737505 get cytotec
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
wsppdmt
 
Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7
Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7
Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7
jabtakhaidam7
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Lucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service Available
Lucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service AvailableLucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service Available
Lucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service Available
jabtakhaidam7
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
uodye
 
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
gajnagarg
 
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
DUBAI (+971)581248768 BUY ABORTION PILLS IN ABU dhabi...Qatar
 

Recently uploaded (20)

Abortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get CytotecAbortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get Cytotec
 
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
Jual Obat Aborsi Samarinda ( No.1 ) 088980685493 Obat Penggugur Kandungan Cy...
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
 
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Udgir [ 7014168258 ] Call Me For Genuine Models We ...
 
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
 
🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...
🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...
🌹Bhubaneswar🌹Odisha❤CALL GIRL 9777949614 ❤CALL GIRLS IN Bhubaneswar ESCORT SE...
 
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in DammamAbortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
 
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
 
一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理
一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理
一比一维多利亚大学毕业证(victoria毕业证)成绩单学位证如何办理
 
🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...
🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...
🌹Patia⬅️ Vip Call Girls Bhubaneswar 📱9777949614 Book Well Trand Call Girls In...
 
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
 
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pillsIn Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
 
Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7
Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7
Call Girls in Bhubaneswar (Odisha) call me [🔝 9777949614 🔝] escort service 24X7
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
 
Lucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service Available
Lucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service AvailableLucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service Available
Lucknow Call Girls U.P 👉👉 0000000000 Top Class Call Girl Service Available
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
 
Shimoga Escorts Service Girl ^ 9332606886, WhatsApp Anytime Shimoga
Shimoga Escorts Service Girl ^ 9332606886, WhatsApp Anytime ShimogaShimoga Escorts Service Girl ^ 9332606886, WhatsApp Anytime Shimoga
Shimoga Escorts Service Girl ^ 9332606886, WhatsApp Anytime Shimoga
 
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
 
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
 

Starfield wtbr indp acct opinião e mgmt afirmação final junho 2020

  • 1. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. 101 S Hanley Rd, #800 St. Louis, MO 63105 Tel: 314-889-1100 Fax: 314-889-1101 www.bdo.com REPORT OF THE INDEPENDENT ACCOUNTANT To the management of Starfield Technologies, LLC (“Starfield”): We have examined Starfield, subsidiary of GoDaddy Inc. (“GoDaddy”), management’s assertion that for its Starfield and GoDaddy Certification Authority (“CA”) operations at Arizona and Virginia, in the United States of America, throughout the period July 1, 2019 to June 30, 2020 for the CAs enumerated in Attachment B in scope for SSL Baseline Requirements and Network Security Requirements, Starfield has: • disclosed its SSL certificate lifecycle management business practices in the applicable versions of its Starfield Certificate Policy and Certification Practice Statement (“CP/CPS”) enumerated in Attachment A, including its commitment to provide SSL certificates in conformity with the CA/Browser Forum Requirements on its repository, and provided such services in accordance with its disclosed practices • maintained effective controls to provide reasonable assurance that: o the integrity of keys and SSL certificates it manages is established and protected throughout their lifecycles; and o SSL subscriber information is properly authenticated • maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity • maintained effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security v2.4.1. Starfield’s management is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion based on our examination. The relative effectiveness and significance of specific controls at Starfield and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls and other factors present at individual subscriber and relying party locations. Our examination did not extend to controls at individual subscriber and relying party locations and we have not evaluated the effectiveness of such controls.
  • 2. 2 Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether management’s assertion is fairly stated, in all material respects. An examination involves performing procedures to obtain evidence about management’s assertion. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of material misstatement of management’s assertion, whether due to fraud or error. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, Starfield’s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion management’s assertion, as referred to above, is fairly stated, in all material respects. Without modifying our opinion, we noted the following other matters during our procedures: Matter Topic Matter 1 Certificate Validation Starfield disclosed in Mozilla Bug #1605804 that their registration authority (RA) system issued 16 DV/OV SSL and 19 EV SSL certificates using domain validation evidence older than allowed by the Baseline Requirements. Starfield revoked all 35 certificates in accordance with the timelines set by the Baseline Requirements. Starfield disclosed in Mozilla Bug #1646226 that its 3% self- audit discovered a bug in their RA system that caused documents used for organization validation to be re-used for longer than the timelines allowed by the Baseline Requirements. This impacted 396 OV SSL certificates. Starfield disclosed in Mozilla Bug #1647030 that when it updated the RA system's BR validation process from 3.2.2.4.6 to 3.2.2.4.18, an improper change was implemented, which resulted in sub-domains being improperly considered validated. Starfield investigated and discovered 454 SSL certificates were impacted and revoked in accordance with the timelines set by the Baseline Requirements. 2 CRL Publication Starfield disclosed in Mozilla Bug #1645832 that during system upgrades, a CRL publishing node was taken down and not properly brought up again. During the system upgrade, monitoring alarms were suppressed and the issue was not discovered until after the existing CRLs expired.
  • 3. 3 Matter Topic Matter 3 Certificate Revocation Starfield disclosed in Mozilla Bug #1639798 and Mozilla Bug #1640310 that it received 14 notices of Subscriber certificate key compromises that took longer than 24 hours after receipt to revoke in violation of the Baseline Requirement. This report does not include any representation as to the quality of Starfield’s services other than its CA operations at Arizona and Virginia, in the United States of America, nor the suitability of any of Starfield’s services for any customer's intended purpose. The World Health Organization classified the COVID-19 outbreak as a pandemic in March 2020. Based on the rapid increase in exposure globally, the gravity or length of the impact of the COVID-19 outbreak cannot be estimated at this time. Starfield’s use of the WebTrust for Certification Authorities – SSL Baseline with Network Security Seal constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. August 6, 2020
  • 4. 4 ATTACHMENT A – CERTIFICATION PRACTICE STATEMENT AND CERTIFICATE POLICY VERSIONS IN-SCOPE Policy Name Policy Version Policy Date Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.4 June 19, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.3 May 26, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.2 March 27, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.1 May 21, 2019
  • 5. 5 ATTACHMENT B – IN-SCOPE CAs FOR SSL BASELINE REQUIREMENTS AND NETWORK SECURITY REQUIREMENTS Root CAs Subject SHA2 Thumbprint Valid From Valid To OU = Go Daddy Class 2 Certification Authority O = The Go Daddy Group, Inc. C = US C3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4 6/29/2004 6/29/2034 CN = Go Daddy Root Certificate Authority - G2 O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA 9/1/2009 12/31/2037 OU = Starfield Class 2 Certification Authority O = Starfield Technologies, Inc. C = US 1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658 6/29/2004 6/29/2034 CN = Starfield Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5 9/1/2009 12/31/2037 CN = Starfield Services Root Certificate OU = http://certificates.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US B5BD2CB79CBD1907298D6BDF4842E516D8C78FA6FC96D25F71AF814E16CC245E 6/2/2008 12/31/2029
  • 6. 6 Cross-Signed Roots Subject SHA2 Thumbprint Valid From Valid To CN = Go Daddy Root Certificate Authority - G2 O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 3A2FBE92891E57FE05D57087F48E730F17E5A5F53EF403D618E5B74D7A7E6ECB 1/1/2014 5/30/2031 CN = Go Daddy Root Certificate Authority - G2 OU = https://certs.godaddy.com/repository/ O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 9BF58967545996194512DB6177151AFE99706AEA3DA36FEEE7AD9F8B3C0507CB 5/3/2011 5/3/2031 CN = Starfield Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 9F43D52E808C20AFF69E02FAAC205AAC684E6975213D6620FAC64BDE5FCAB4BC 1/1/2014 5/30/2031 CN = Starfield Root Certificate Authority - G2 OU = https://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 454040E4969070401CC35BDF7F2A4EBCE5797BB7694AE731D93A8115FD59929C 5/3/2011 5/3/2031 CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US EB159C922A3FC2191475CA20A53816D87A38A1A79A7264789193D2F1F750E85E 1/1/2014 5/30/2031 CN = Starfield Services Root Certificate Authority - G2 OU = https://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US A24B9440F9FCBEBB48C274C03DE7D24C5ED1CA59D2D362F29ED3B457762C75BB 5/3/2011 5/3/2031
  • 7. 7 Cross-Signed Roots Subject SHA2 Thumbprint Valid From Valid To CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 2D12B619A660CEFB013271831D891213FC434E982A21568256CF4E2E86324BEA 8/30/2009 6/28/2034 CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 28689B30E4C306AAB53B027B29E36AD6DD1DCF4B953994482CA84BDC1ECAC996 9/2/2009 6/28/2034
  • 8. 8 Intermediate CAs Subject SHA2 Thumbprint Valid From Valid To serialNumber = 07969287 CN = Go Daddy Secure Certification Authority OU = http://certificates.godaddy.com/repository O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 09ED6E991FC3273D8FEA317D339C02041861973549CFA6E1558F411F11211AA3 11/16/2006 11/16/2026 CN = Go Daddy Secure Certificate Authority - G2 OU = http://certs.godaddy.com/repository/ O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 973A41276FFD01E027A2AAD49E34C37846D3E976FF6A620B6712E33832041AA6 5/3/2011 5/3/2031 serialNumber = 10688435 CN = Starfield Secure Certification Authority OU = http://certificates.starfieldtech.com/repository O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 05A6DB389391DF92E0BE93FDFA4DB1E3CF53903918B8D9D85A9C396CB55DF030 11/16/2006 11/16/2026 CN = Starfield Secure Certificate Authority - G2 OU = http://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 93A07898D89B2CCA166BA6F1F8A14138CE43828E491B831926BC8247D391CC72 5/3/2011 5/3/2031
  • 9. 1 Starfield Technologies, LLC 14455 N Hayden Road Scottsdale, Arizona 85260 Starfield Technologies, LLC (“Starfield”), subsidiary of GoDaddy Inc. (“GoDaddy”), operates the Starfield and GoDaddy Certification Authority (“CA”) services for the CAs enumerated in Attachment B in scope for SSL Baseline Requirements and Network Security Requirements and provides SSL CA services. Starfield management has assessed its disclosures of its certificate practices and controls over its SSL CA services. Based on that assessment, in providing its SSL CA services at Arizona and Virginia, in the United States of America, throughout the period July 1, 2019 to June 30, 2020, Starfield has: x disclosed its SSL certificate lifecycle management business practices in the applicable versions of its Starfield Technologies, LLC Certificate Policy and Certification Practice Statement (“CP/CPS”) enumerated in Attachment A, including its commitment to provide SSL certificates in conformity with the CA/Browser Forum Requirements on its repository, and provided such services in accordance with its disclosed practices x maintained effective controls to provide reasonable assurance that: o the integrity of keys and SSL certificates it manages is established and protected throughout their lifecycles; and o SSL subscriber information is properly authenticated x maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity x maintained effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security v2.4.1. ______________________________________________ Todd Redfoot Chief Privacy & Risk Officer Starfield Technologies, LLC August 6, 2020
  • 10.
  • 11.
  • 12.
  • 13. 2 ATTACHMENT A – CERTIFICATION PRACTICE STATEMENT AND CERTIFICATE POLICY VERSIONS IN-SCOPE Policy Name Policy Version Policy Date Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.4 June 19, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.3 May 26, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.2 March 27, 2020 Starfield Technologies, LLC Certificate Policy and Certification Practice Statement Version 4.1 May 21, 2019
  • 14.
  • 15.
  • 16.
  • 17. 3 ATTACHMENT B – IN-SCOPE CAs FOR SSL BASELINE REQUIREMENTS AND NETWORK SECURITY REQUIREMENTS Root CAs Subject SHA2 Thumbprint Valid From Valid To OU = Go Daddy Class 2 Certification Authority O = The Go Daddy Group, Inc. C = US C3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4 6/29/2004 6/29/2034 CN = Go Daddy Root Certificate Authority - G2 O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA 9/1/2009 12/31/2037 OU = Starfield Class 2 Certification Authority O = Starfield Technologies, Inc. C = US 1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658 6/29/2004 6/29/2034 CN = Starfield Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5 9/1/2009 12/31/2037 CN = Starfield Services Root Certificate OU = http://certificates.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US B5BD2CB79CBD1907298D6BDF4842E516D8C78FA6FC96D25F71AF814E16CC245E 6/2/2008 12/31/2029
  • 18.
  • 19.
  • 20.
  • 21. 4 Cross-Signed Roots Subject SHA2 Thumbprint Valid From Valid To CN = Go Daddy Root Certificate Authority - G2 O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 3A2FBE92891E57FE05D57087F48E730F17E5A5F53EF403D618E5B74D7A7E6ECB 1/1/2014 5/30/2031 CN = Go Daddy Root Certificate Authority - G2 OU = https://certs.godaddy.com/repository/ O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 9BF58967545996194512DB6177151AFE99706AEA3DA36FEEE7AD9F8B3C0507CB 5/3/2011 5/3/2031 CN = Starfield Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 9F43D52E808C20AFF69E02FAAC205AAC684E6975213D6620FAC64BDE5FCAB4BC 1/1/2014 5/30/2031 CN = Starfield Root Certificate Authority - G2 OU = https://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 454040E4969070401CC35BDF7F2A4EBCE5797BB7694AE731D93A8115FD59929C 5/3/2011 5/3/2031 CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US EB159C922A3FC2191475CA20A53816D87A38A1A79A7264789193D2F1F750E85E 1/1/2014 5/30/2031 CN = Starfield Services Root Certificate Authority - G2 OU = https://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US A24B9440F9FCBEBB48C274C03DE7D24C5ED1CA59D2D362F29ED3B457762C75BB 5/3/2011 5/3/2031
  • 22.
  • 23.
  • 24.
  • 25. 5 Cross-Signed Roots Subject SHA2 Thumbprint Valid From Valid To CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 2D12B619A660CEFB013271831D891213FC434E982A21568256CF4E2E86324BEA 8/30/2009 6/28/2034 CN = Starfield Services Root Certificate Authority - G2 O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 28689B30E4C306AAB53B027B29E36AD6DD1DCF4B953994482CA84BDC1ECAC996 9/2/2009 6/28/2034
  • 26.
  • 27.
  • 28.
  • 29. 6 Intermediate CAs Subject SHA2 Thumbprint Valid From Valid To serialNumber = 07969287 CN = Go Daddy Secure Certification Authority OU = http://certificates.godaddy.com/repository O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 09ED6E991FC3273D8FEA317D339C02041861973549CFA6E1558F411F11211AA3 11/16/2006 11/16/2026 CN = Go Daddy Secure Certificate Authority - G2 OU = http://certs.godaddy.com/repository/ O = GoDaddy.com, Inc. L = Scottsdale S = Arizona C = US 973A41276FFD01E027A2AAD49E34C37846D3E976FF6A620B6712E33832041AA6 5/3/2011 5/3/2031 serialNumber = 10688435 CN = Starfield Secure Certification Authority OU = http://certificates.starfieldtech.com/repository O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 05A6DB389391DF92E0BE93FDFA4DB1E3CF53903918B8D9D85A9C396CB55DF030 11/16/2006 11/16/2026 CN = Starfield Secure Certificate Authority - G2 OU = http://certs.starfieldtech.com/repository/ O = Starfield Technologies, Inc. L = Scottsdale S = Arizona C = US 93A07898D89B2CCA166BA6F1F8A14138CE43828E491B831926BC8247D391CC72 5/3/2011 5/3/2031