ISO-27001 or SOC2 external certification?

I would like to know if LetsEncrypt is planning to become certified by an external party.

Or failing that, does the LetsEncrypt API undergo any security review or periodic penetration test?

Let’s Encrypt (and therefore it’s API as well as issuance systems) undergo a pretty extensive audit (WebTrust) as part of being a publically trusted CA. The audits are available here: https://letsencrypt.org/repository/.

As I’m not affiliated with LE I can’t say anthing about ISO-27001 and SOC2

1 Like

WebTrust audits are apparently SOC-3 audits.

The scope of a WebTrust audit would absolutely encompass the ACME service provided by Let’s Encrypt, much as it would the web frontend and bespoke APIs of your typical commercial CA.

1 Like

all this information is available in the document repository

go to town :smiley:

as a side note most of these conversations ended up going in circles

to save you time - let’s encrypt complies with the security and audit requirements set by the industry just like any other paid Public Certificate Authority

https://letsencrypt.org/repository/

https://letsencrypt.org/documents/isrg-cps-v2.0/

1 Like

At risk of taking this briefly off-topic, I believe you mixed up your sayings there, @ahaw021. “Eat your heart out” is a rather negative and combative colloquialism, implying joy at the grief of whoever it was directed towards. I think you may have meant something more along the lines of “go to town” or perhaps “eat to your heart’s content”.

2 Likes

Or “knock yourself out”, perhaps?

And back on topic, I remember finding this recently while looking for something else:

“Auditing costs include the required annual WebTrust audits as well as third party expert security review and testing. The third party security audits include code review, infrastructure review, penetration testing, and ACME protocol analysis. We are not required to do third party auditing beyond the WebTrust audits, but it would be irresponsible of us not to.”

4 Likes

thanks @jared.m @jmorahan

In New Zealand it doesn’t have those negative implications however some of the challenges of working in a worldwide community

i have updated to go to town to avoid any confusion :smiley:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.