Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
We have examined the accompanying assertion made by the management of Google Trust
Services LLC (“GTS”), titled Management’s Assertion Regarding the Effectiveness of Its Controls
Over the SSL Certificate Authority Services Based on the WebTrust Principles and Criteria for
Certification Authorities – SSL Baseline with Network Security v2.3 for GTS’ Certification Authority
(CA) services at Mountain View, California and Zurich, Switzerland, throughout the period October
1, 2017 to September 30, 2018 for the Root and Subordinate CA’s as enumerated in Appendix
A, GTS has:
including its commitment to provide SSL certificates in conformity with the CA/Browser
Forum Requirements on the GTS website, and provided such services in accordance with
its disclosed practices
o The integrity of keys and SSL certificates it manages is established and protected
throughout their lifecycles; and
Maintained effective controls to provide reasonable assurance that it meets the Network
and Certificate System Security Requirements as set forth by the CA/Browser Forum
based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with
Network Security v2.3 (Criteria).
Our examination was conducted in accordance with attestation standards established by the
American Institute of Certified Public Accountants (AICPA). Those standards require that we plan
and perform the examination to obtain reasonable assurance about whether management’s
assertion is fairly stated, in all material respects. An examination involves performing procedures
to obtain evidence about management’s assertion. The nature, timing, and extent of the
procedures selected depend on our judgment, including an assessment of the risks of material
misstatement of management’s assertion, whether due to fraud or error. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
GTS’ Management has disclosed to us the attached comments (Appendix B) that have been
posted publicly in the online forums of the CA/Browser Forum, as well as the online forums of
individual internet browsers that comprise the CA/Browser Forum. We have considered the nature
of these comments in determining the nature, timing and extent of our procedures.
The relative effectiveness and significance of specific controls at GTS and their effect on
assessments of control risk for subscribers and relying parties are dependent on their interaction
with the controls, and other factors present at individual subscriber and relying party locations.
We have performed no procedures to evaluate the effectiveness of controls at individual
subscriber and relying party locations.
Our examination was not conducted for the purpose of evaluating GTS’ cybersecurity risk
management program. Accordingly, we do not express an opinion or any other form of assurance
on its cybersecurity risk management program.
There are inherent limitations in the effectiveness of any system of internal control, including the
possibility of human error and the circumvention of controls. Because of inherent limitations in its
internal control, GTS may achieve reasonable, but not absolute assurance that all security events
are prevented and, for those controls may provide reasonable, but not absolute assurance that
its commitments and system requirements are achieved. Controls may not prevent or detect and
correct, error, fraud, unauthorized access to systems and information, or failure to comply with
internal and external policies or requirements.
Examples of inherent limitations of internal controls related to security include (a) vulnerabilities
in information technology components as a result of design by their manufacturer or developer;
(b) breakdown of internal control at a vendor or business partner; and (c) persistent attackers with
the resources to use advanced technical means and sophisticated social engineering techniques
specifically targeting the entity. Furthermore, the projection of any evaluations of effectiveness to
future periods is subject to the risk that controls may become inadequate because of changes in
conditions, that the degree of compliance with such controls may deteriorate, or that changes
made to the system or controls, or the failure to make needed changes to the system or controls,
may alter the validity of such evaluations.
In our opinion, GTS management’s assertion referred to above is fairly stated, in all material
respects, based on the aforementioned Criteria.
This report does not include any representation as to the quality of GTS’ CA services beyond
those covered by the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline
with Network Security v2.3, or the suitability of any of GTS’ services for any customer's intended
purpose.
We, as the management of Google Trust Services LLC (“GTS”), are responsible for operating the
SSL Certification Authority (CA) services at Mountain View, California and Zurich, Switzerland for
the Root and Subordinate CA’s, in scope for SSL Baseline Requirements and Network Security
Requirements listed at Appendix A.
Controls have inherent limitations, including the possibility of human error and the circumvention
or overriding of controls. Accordingly, even effective controls can provide only reasonable
assurance with respect to GTS’ CA operations. Furthermore, because of changes in conditions,
the effectiveness of controls may vary over time.
Management of GTS has assessed the disclosures of its certificate practices and controls over
its SSL CA services. Based on that assessment, in providing its SSL Certification Authority (CA)
services at Mountain View, California and Zurich, Switzerland throughout the period from October
1, 2017 through September 30, 2018, GTS has:
including its commitment to provide SSL certificates in conformity with the CA/Browser
Forum Requirements on the GTS website, and provided such services in accordance with
its disclosed practices
o The integrity of keys and SSL certificates it manages was established and
protected throughout their lifecycles; and
o Logical and physical access to CA systems and data was restricted to authorized
individuals;
o The continuity of key and certificate management operations was maintained; and
4
1600 Amphitheatre Parkway Tel: 650.253.0000
Mountain View, California 94043 www.google.com
Maintained effective controls to provide reasonable assurance that it meets the Network
and Certificate System Security Requirements as set forth by the CA/Browser Forum
for the Root and Subordinate CA’s in scope for SSL Baseline Requirements and Network Security
Requirements at Appendix A, based on the WebTrust Principles and Criteria for Certification
Authorities – SSL Baseline with Network Security v2.3.
5
Appendix A
6
Root/Subordinate Subject Key Certificate Serial SHA256 Fingerprint
Name Identifier Number
Google Trust 9B:E2:07:57:67:1C: 04:00:00:00:00:01:0F:
CA:42:DD:41:74:5F:D0
Services - 1E:C0:6A:06:DE:59: 86:26:E6:0D :B8:1E:B9:02:36:2C:F9
GlobalSign Root B4:9A:2D:DF:DC:19 :D8:BF:71:9D:A1:BD:1
CA-R2 :86:2E B:1E:FC:94:6F:5B:4C:
99:F4:2C:1B:9E
Google 77:C2:B8:50:9A:67: 30:12:9B:FD:80:D1:93 98:DA:04:2C:EB:04:BA
Internet 76:76:B1:2D:C2:86: :D6:B3:E2:34:E4 :52:E9:E4:D7:C6:1E:43
Authority D0:83:A0:7E:A6:7E: :BD:76:F9:4E:88:DC:F
G3 BA:4B F:8E:F1:EF:73:52:0D:E
B:6F:98:1B:82
Google 77:C2:B8:50:9A:67: 01:E3:A9:30:1C:FC:72 BE:0C:CD:54:D4:CE:C
Internet 76:76:B1:2D:C2:86: :06:38:3F:9A:53:1D D:A1:BD:5E:5D:9E:CC:
Authority D0:83:A0:7E:A6:7E: 85:A0:4C:2C:1F:93:A5:
G3 BA:4B 22:0D:77:FD:E8:8F:E9:
AD:08:1F:64:1B
GTS CA 98:D1:F8:6E:10:EB: 01:E3:B4:9A:A1:8D:8 95:C0:74:E3:59:02:A1:
1O1 CF:9B:EC:60:9F:18: A:A9:81:25:69:50:B8 4A:BD:9D:19:AF:B6:E7
90:1B:A0:EB:7D:09: :F8:0E:66:9F:F8:E2:36:
FD:2B 32:70:53:9D:96:36:13:
F0:4A:AA:21
GTS CA B1:DD:32:5D:E8:B7: 01:E3:B4:9D:77:CD:F D5:70:84:C1:27:98:73:
1D2 37:72:D2:CE:5C:CE: 4:0C:06:19:16:B6:E3 27:1E:B2:CE:7B:84:15:
26:FE:47:79:E2:01:0 A4:1C:E9:12:6B:54:4D:
8:E9 85:18:BA:D8:7F:F1:CE
:5A:60:4D:A3
Google Trust 54:B0:7B:AD:45:B8: 2A:38:A4:1C:96:0A:04 BE:C9:49:11:C2:95:56:
Services - E2:40:7F:FB:0A:6E: :DE:42:B2:28:A5:0B:E 76:DB:6C:0A:55:09:86:
GlobalSign ECC FB:BE:33:C9:3C:A3: 8:34:98:02 D7:6E:3B:A0:05:66:7C:
Root CA - R4 84:D5 44:2C:97:62:B4:FB:B7:
73:DE:22:8C
Google 64:B8:34:04:8E:DE: 01:E3:AE:80:26:DB:5 61:72:77:3E:0B:60:BB:
Internet E3:2A:54:39:A4:3E: B:41:E2:56:C2:A3:51 E7:48:D0:5E:75:B9:49:
Authority C7:9B:D8:00:0F:0C: 51:7E:30:66:8D:3F:6F:
G3 ECC 22:E4 4B:9C:03:45:22:6F:67:
F2:F7:5A:9C
7
Appendix B