Will Let's Encrypt participate in third-party risk management processes/screenings in order for companies to approve of its usage? We are interested in exploring utilizing Let's Encrypt ssl certs, but we have a requirement of 3PRM Screenings for any third party tooling. Thanks!
We publish audit reports and related information at: Policy and Legal Repository - Let's Encrypt
Most routine 3PRM requirements are met or exceeded by WebTrust and its incorporated criteria, for which we're audited. It may be enough to review our audit reports and match their criteria with your compliance program's.
We usually aren't able to complete outside questionnaires or assessments. If there's some extra information you'd like to see us publish, please let us know.
Thank you @JamesLE ! We will look this over and notify this thread if there is any other information we would like to see published. Appreciate the quick response
Silly question, but..., are/were all other CAs required to meet this assessment?
Are you specifically referring to the actual client software loaded/running on a "secure system"?
[not the CA that provides the certs used by such systems]
Hi @rg305. Yes. This is required by all 3rd parties we look to utilize whether it's providing the cert, the software loading the cert, etc.
@JamesLE Do you guys have an ISO 27001 documentation publicly available for us?
We're not currently audited for ISO 27001, but the two categories of WebTrust audit criteria include (by direct reference) most of the same underlying ISO documents and requirements. Just offhand, I think most of the other items in 27001 relate to PII practices; we collect minimal PII and only from the Subscriber itself.
If there are specific criteria you need that are missing, we could explore getting them included in our next audit, especially if you're working with a set of criteria that other folks are also likely to need.