What is WebTrust for CAs (Certification Authorities)?
Quis custodiet ipsos custodes? Or, as they say in English, who watches the watchers? Every major certificate authority is required to undergo an extensive audit called the AICPA/CICA WebTrust Program for Certification Authorities. This WebTrust audit is performed by public accounting firms and practitioners who are specifically licensed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Microsoft, has selected WebTrust for Certification Authorities as part of its program for accepting Certification Authorities (CAs) wishing to distribute their root certificate through Microsoft software.
What is the purpose of the WebTrust for CAs program
The WebTrust for CAs program helps to ensure that proper procedures are followed in activities involving e-commerce transactions, public key infrastructure (PKI), and cryptography. In online trust and e-commerce transactions, confidentiality, authentication, integrity, and nonrepudiation are vitally important. These requirements are satisfied using PKI and SSL Certificates. A certification authority verifies the identity of an organization/entity and issues a certificate that the organization can use to prove their identity.
CAs are taking an increasingly important role in the security of e-commerce. Although there are many national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied uniformly. The AICPA/CICA WebTrust Program for Certification Authorities ensures that specific policies are implemented and enforced.
What does the WebTrust program cover?
The WebTrust Program for Certification Authorities helps to ensure that a CA is properly following its Certification Practice Statement, properly verifying organizations, and properly protecting its certificate keys. The audit specifically verifies that a particular certificate authority:
Discloses its key and certificate life cycle management business and information privacy practices and provides such services in accordance with its disclosed practices.
Maintains effective controls to provide reasonable assurance that:
- Subscriber information is properly authenticated (for the registration activities performed by ABC-CA); and
- The integrity of keys and certificates it manages are established and protected throughout their life cycles
Maintains effective controls to provide reasonable assurance that:
- Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure;
- The continuity of key and certificate life cycle management operations is maintained; and
- CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity based on the AICPA/CICA WebTrust for Certification Authorities criteria.
For more information about the criteria audited, see the WebTrust Program for Certification Authorities Guide.
WebTrust for CAs Seal
After completing the audit, a certificate authority is allowed to use the WebTrust seal to demonstrate that they have passed all items required by the WebTrust audit.
WebTrust for Extended Validation
A separate audit is also given to certification authorities that issue EV SSL Certifications called WebTrust for Extended Validation. This audit is similar to WebTrust for Certification Authorities but it ensures that the CA is following the Extended Validation Guidelines agreed upon by the CA/Browser Forum. For more information, view the WebTrust for Extended Validation Guidelines. After completing this audit, the CA is entitled to display the WebTrust for Extended Validation seal.
Originally posted on Mon Feb 16, 2009
Comments