What is WebTrust for CAs (Certification Authorities)?

Quis custodiet ipsos custodes? Or, as they say in English, who watches the watchers? Every major certificate authority is required to undergo an extensive audit called the AICPA/CICA WebTrust Program for Certification Authorities. This WebTrust audit is performed by public accounting firms and practitioners who are specifically licensed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Microsoft, has selected WebTrust for Certification Authorities as part of its program for accepting Certification Authorities (CAs) wishing to distribute their root certificate through Microsoft software.

What is the purpose of the WebTrust for CAs program

The WebTrust for CAs program helps to ensure that proper procedures are followed in activities involving e-commerce transactions, public key infrastructure (PKI), and cryptography. In online trust and e-commerce transactions, confidentiality, authentication, integrity, and nonrepudiation are vitally important. These requirements are satisfied using PKI and SSL Certificates. A certification authority verifies the identity of an organization/entity and issues a certificate that the organization can use to prove their identity.

CAs are taking an increasingly important role in the security of e-commerce. Although there are many national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied uniformly. The AICPA/CICA WebTrust Program for Certification Authorities ensures that specific policies are implemented and enforced.

What does the WebTrust program cover?

The WebTrust Program for Certification Authorities helps to ensure that a CA is properly following its Certification Practice Statement, properly verifying organizations, and properly protecting its certificate keys. The audit specifically verifies that a particular certificate authority:

Discloses its key and certificate life cycle management business and information privacy practices and provides such services in accordance with its disclosed practices.

Maintains effective controls to provide reasonable assurance that:

  • Subscriber information is properly authenticated (for the registration activities performed by ABC-CA); and
  • The integrity of keys and certificates it manages are established and protected throughout their life cycles

Maintains effective controls to provide reasonable assurance that:

  • Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure;
  • The continuity of key and certificate life cycle management operations is maintained; and
  • CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity based on the AICPA/CICA WebTrust for Certification Authorities criteria.

For more information about the criteria audited, see the WebTrust Program for Certification Authorities Guide.

WebTrust for CAs Seal

WebTrust for CAs SealAfter completing the audit, a certificate authority is allowed to use the WebTrust seal to demonstrate that they have passed all items required by the WebTrust audit.

WebTrust for Extended Validation

WebTrust for Extended Validation SealA separate audit is also given to certification authorities that issue EV SSL Certifications called WebTrust for Extended Validation. This audit is similar to WebTrust for Certification Authorities but it ensures that the CA is following the Extended Validation Guidelines agreed upon by the CA/Browser Forum. For more information, view the WebTrust for Extended Validation Guidelines. After completing this audit, the CA is entitled to display the WebTrust for Extended Validation seal.


 

Originally posted on Mon Feb 16, 2009

Comments (6)

  1. Conor Roantree:
    Feb 21, 2011 at 12:47 AM

    Hi, I am looking for documantaion the 2048 bit SSL certificates is the new standard specified by Webtrust. Any help appreciated

  2. Robert:
    Oct 26, 2010 at 06:15 PM

    Thanks, Kumar. I have updated the link.

  3. Kumar:
    Oct 26, 2010 at 09:53 AM

    Hi, the above link for "WebTrust Program for Certification Authorities Guide" is not working, could you please locate the correct one, Thanks.

  4. Andy Barratt:
    May 11, 2009 at 08:13 AM

    Duane, you are completely incorrect here. I have performed several Webtrust audits at leading CA's globally and I can assure you that I am not an accountant. I'm an IT & Information Security professional. The Webtrust audit covers the validation processes that are followed to obtain identity as well as a large amount of technical security configuration and management. It is fundamentally important to the trust chain that an independant body verifies that the CA's do what they say they do in line with an internationally accepted standard.

  5. Robert:
    Feb 17, 2009 at 06:21 PM

    You're right about most audits, but that is what is different about the WebTrust audit. It is not a typical financial audit. It is specially made to verify the validation and security procedures rather than finances.

  6. Duane:
    Feb 17, 2009 at 05:49 AM

    The main focus of most audits is financial, not technical, yes there may be technical components to it, but WebTrust is founded essentially by accountants and accountants do what they do best and that is look at the money trail.





Allowed tags: <b><i><br>Add a new comment: