What is WebTrust for CAs (Certification Authorities)?

Quis custodiet ipsos custodes? Or, as they say in English, who watches the watchers? Every major certificate authority is required to undergo an extensive audit called the AICPA/CICA WebTrust Program for Certification Authorities. This WebTrust audit is performed by public accounting firms and practitioners who are specifically licensed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Microsoft, has selected WebTrust for Certification Authorities as part of its program for accepting Certification Authorities (CAs) wishing to distribute their root certificate through Microsoft software.

What is the purpose of the WebTrust for CAs program

The WebTrust for CAs program helps to ensure that proper procedures are followed in activities involving e-commerce transactions, public key infrastructure (PKI), and cryptography. In online trust and e-commerce transactions, confidentiality, authentication, integrity, and nonrepudiation are vitally important. These requirements are satisfied using PKI and SSL Certificates. A certification authority verifies the identity of an organization/entity and issues a certificate that the organization can use to prove their identity.

CAs are taking an increasingly important role in the security of e-commerce. Although there are many national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied uniformly. The AICPA/CICA WebTrust Program for Certification Authorities ensures that specific policies are implemented and enforced.

What does the WebTrust program cover?

The WebTrust Program for Certification Authorities helps to ensure that a CA is properly following its Certification Practice Statement, properly verifying organizations, and properly protecting its certificate keys. The audit specifically verifies that a particular certificate authority:

Discloses its key and certificate life cycle management business and information privacy practices and provides such services in accordance with its disclosed practices.

Maintains effective controls to provide reasonable assurance that:

  • Subscriber information is properly authenticated (for the registration activities performed by ABC-CA); and
  • The integrity of keys and certificates it manages are established and protected throughout their life cycles

Maintains effective controls to provide reasonable assurance that:

  • Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure;
  • The continuity of key and certificate life cycle management operations is maintained; and
  • CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity based on the AICPA/CICA WebTrust for Certification Authorities criteria.

For more information about the criteria audited, see the WebTrust Program for Certification Authorities Guide.

WebTrust for CAs Seal

WebTrust for CAs SealAfter completing the audit, a certificate authority is allowed to use the WebTrust seal to demonstrate that they have passed all items required by the WebTrust audit.

WebTrust for Extended Validation

WebTrust for Extended Validation SealA separate audit is also given to certification authorities that issue EV SSL Certifications called WebTrust for Extended Validation. This audit is similar to WebTrust for Certification Authorities but it ensures that the CA is following the Extended Validation Guidelines agreed upon by the CA/Browser Forum. For more information, view the WebTrust for Extended Validation Guidelines. After completing this audit, the CA is entitled to display the WebTrust for Extended Validation seal.


 

 Digg  del.icio.us  Reddit

Posted on February 16, 2009
Conor Roantree
Posts: 4
Comment
2048 BIT SSL Certificates
Reply #6 on : Mon February 21, 2011, 02:47:45
Hi,
I am looking for documantaion the 2048 bit SSL certificates is the new standard specified by Webtrust. Any help appreciated
Robert
Posts: 2
Comment
Re: Correction
Reply #5 on : Tue October 26, 2010, 20:15:01
Thanks, Kumar. I have updated the link.
Kumar
Posts: 4
Comment
Correction
Reply #4 on : Tue October 26, 2010, 11:53:51
Hi, the above link for "WebTrust Program for Certification Authorities Guide" is not working, could you please locate the correct one, Thanks.
Andy Barratt
Posts: 4
Comment
Webtrust
Reply #3 on : Mon May 11, 2009, 10:13:35
Duane, you are completely incorrect here.

I have performed several Webtrust audits at leading CA's globally and I can assure you that I am not an accountant. I'm an IT & Information Security professional. The Webtrust audit covers the validation processes that are followed to obtain identity as well as a large amount of technical security configuration and management.

It is fundamentally important to the trust chain that an independant body verifies that the CA's do what they say they do in line with an internationally accepted standard.
Robert
Posts: 2
Comment
Re: WebTrust
Reply #2 on : Tue February 17, 2009, 20:21:23
You're right about most audits, but that is what is different about the WebTrust audit. It is not a typical financial audit. It is specially made to verify the validation and security procedures rather than finances.
Duane
Posts: 4
Comment
WebTrust
Reply #1 on : Tue February 17, 2009, 07:49:01
The main focus of most audits is financial, not technical, yes there may be technical components to it, but WebTrust is founded essentially by accountants and accountants do what they do best and that is look at the money trail.

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment