WebTrust Assurance Process

The CA’s management will make assertions along the following lines:

Management has assessed the controls over its CA operations. Based on that assessment, in ABC Certification Authority, Inc. (ABC-CA) Management’s opinion, in providing its certification authority (CA) services at [location], ABC-CA, during the period from [Month, day, year] through [Month, day, year]:

• Disclosed its key and certificate life cycle management business and information privacy practices and provided such services in accordance with its disclosed practices




• Maintained effective controls to provide reasonable assurance that:




• Subscriber information was properly authenticated (for the registration activities performed by ABC-CA); and




• The integrity of keys and certificates it managed was established and protected throughout their life cycles




• Maintained effective controls to provide reasonable assurance that:




• Subscriber and relying party information was restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure;




• The continuity of key and certificate life cycle management operations was maintained; and




• CA systems development, maintenance, and operations were properly authorized and performed to maintain CA systems integrity based on the WebTrust for Certification Authorities criteria.

For an initial representation, the historical period covered should be at least two months or more as determined by the practitioner. For established CAs and CA functions, two months may be quite sufficient, while for new CAs and CA functions, the practitioner may believe that a longer initial period would be more appropriate. For subsequent representations, the period covered should begin with the end of the prior period, to provide continuous representation. Reports should be issued at least every 12 months. In some situations, given the business needs or expectations of relying parties, the practitioner may believe a shorter subsequent period would be more appropriate.

To have a basis for such assertions, the CA’s management should have made a risk assessment and implemented appropriate controls for its CA operations. The WebTrust for Certification Authorities criteria and illustrative controls provide a basis for a risk assessment and a minimum set of CA controls.

An independent, objective, and knowledgeable practitioner will perform tests of these representations under professional standards and provide a professional opinion, which adds to the credibility of management’s representations.

Comparison with Service Auditor Reports

Comparison of a WebTrust for Certification Authorities Examination With Service Auditor Reports:

Professional standards currently exist for auditors to report on controls of third-party service providers (a service auditor’s engagement). Guidance for these engagements is set out in the Statement on Auditing Standards [SAS] No. 70 [SAS-70], Service Organizations, as amended.

WebTrust for Certification Authorities engagement differs from a service auditor’s engagement in a number of ways, including the following:

• Purpose. WebTrust for Certification Authorities provides a new framework for reporting activities of CAs through auditor communication to interested parties, including business partners and existing or potential customers. SAS-70 was designed for auditor-to-auditor communication to assist the user auditor in reporting on the financial statements of a customer of the service organization.




• Target of evaluation. WebTrust for Certification Authorities was designed specifically for the examinations of CA business activities. Service auditor reports were designed for service organizations in general.




• Type of engagement. WebTrust for Certification Authorities requires reporting on compliance with the WebTrust Principles and Criteria for Certification Authorities. Service auditor reports were designed for reporting on the design and existence of controls and the effective operation of those controls when the report covers a period of time.




• Examination standards. WebTrust for Certification Authorities follows the Statements on Standards for Attestation Engagements (SSAEs). Service auditor reports follow generally accepted auditing standards.




• Coverage of activities. WebTrust for Certification Authorities requires coverage of specific areas as defined herein, including CA business practices disclosure, service integrity (including key and certificate life cycle management activities), and CA environmental controls. Service auditor reports were designed for reporting upon controls related to financial information.




• Linkage to authoritative standards. WebTrust for Certification Authorities provides uniform rules derived from the draft ANSI X9.79 standard (which is intended to be submitted to the International Organization for Standardization [ISO] for international standardization). Standards underlying service auditor reports do not specify the control objectives that must be covered by the report.




• Period of coverage of review. WebTrust for Certification Authorities encourages continuous coverage from the point of initial qualification and requires continuous coverage to retain the seal. Qualification after compliance can be tested over a minimum two-month period, with updates over a specified period (currently one-year maximum). Service auditor reports cover a period of time specified by the service organization, but do not require continuous coverage.

In addition, this approach maintains consistency in the professional standards used for the Suitable Trust Services Criteria and Illustrations.

WebTrust Seal

Obtaining the WebTrust Seal

To obtain the WebTrust seal of assurance, the CA must meet all the WebTrust for Certification Authorities principles as measured by the WebTrust for Certification Authorities criteria associated with each of these principles. In addition, the entity must engage a practitioner to provide the WebTrust service, and obtain an unqualified report from such practitioner.

Keeping the WebTrust Seal

Once the seal is obtained, the CA will be able to continue displaying it on its Web site provided the following are performed:

• The CA’s WebTrust practitioner updates his or her assurance examination of the assertion on a regular basis. The CA must continue to obtain an unqualified report from such practitioner. The interval between such updates will depend on matters such as the following:




• The nature and complexity of the CA’s operations




• The frequency of significant changes to the CA’s operations




• The relative effectiveness of the entity’s monitoring and change-management controls for ensuring continued conformity with the applicable WebTrust for Certification Authorities criteria as such changes are made




• The practitioner’s professional judgment




• For example, an update may be required more frequently for a CA that is expanding operations, changing extensively and rapidly, or issuing high-assurance certificates that are used for very sensitive transmissions or high-value transactions, as compared to a CA that issues few certificates and has a relatively stable operation. In no event should the interval between updates exceed 12 months; this interval often may be shorter. For example, in the situation of a start-up CA or CA function, it may be more appropriate that the initial examination period be established at 3 months, with the next review being performed 6 months after the WebTrust seal for CAs is awarded, thereafter moving to a 12-month review cycle. To provide continuous coverage and retain the seal, the period covered for update reports should begin with either the end of the prior period or the start of the period in the initial report.




• During the period between updates, the CA undertakes to inform the practitioner of any significant changes in its business policies, practices, processes, and controls, particularly if such changes might affect the CA’s ability to continue meeting the WebTrust Principles and Criteria for Certification Authorities, or the manner in which they are met. Such changes may trigger the need for an assurance update or, in some cases, removal of the seal until an update examination by the practitioner can be made. If the practitioner becomes aware of such a change in circumstances, he or she determines whether the seal needs to be removed until an update examination is completed and the updated auditor’s report is issued.

WebTrust Seal Management

The WebTrust seal of assurance for the CA will be managed by a seal manager along the following lines:

• Upon becoming a WebTrust licensee, the WebTrust practitioner obtains a registration number (ID and password) from the WebTrust licensing authority. With this the practitioner can issue a WebTrust seal to the CA.




• When the practitioner is prepared to issue a WebTrust seal, he or she accesses the WebTrust secure server system. Upon payment of the registration fee, the practitioner receives passwords and IDs unique to the engagement. The seal manager issues these to the practitioner in pairs. One set allows the practitioner to read and write to the secure server (see below) and the other permits the CA to preview the presentation.




• The practitioner prepares a draft of the practitioner’s report and provides it along with management’s assertions for posting to the preview site.




• The seal manager then delivers the seal to the CA with the appropriate links to the preview site. Notification of delivery is provided to the practitioner.




• When the practitioner and CA have agreed that the seal should become active, the practitioner notifies the seal manager to transfer the information from the preview site to the active WebTrust site and provides the appropriate expiration date.




• The seal remains valid for the period provided by the practitioner plus a one-month grace period, unless removed for cause. The one-month period is to allow sufficient time to complete the engagement and other open items. For example, if the seal expires on June 30, 20XX, the practitioner has 30 days to complete open items and prepare new documents for posting with the seal manager. The subsequent examination period begins July 1, 20XX




• If the practitioner determines that the seal should be removed from the CA’s Web site, the practitioner will immediately notify the CA and request that the seal be removed from the CA’s site. The practitioner will then notify the seal manager to remove all the relevant information and to replace it with a statement that the WebTrust seal for this site is no longer valid.




• The seal manager will notify the practitioner 30 days prior to expiration that the seal needs to be renewed. The seal manager may revoke seals if the registration fee for the seal is unpaid or for other sufficient cause.

WebTrust Seal Authentication

To verify whether the seal displayed on a CA's Web site is authentic, the customer can:

• Click on the seal, which links the customer through a secure connection to a WebTrust seal verification page hosted by the seal manager. It identifies the CA and confirms that the CA is entitled to display the WebTrust seal. It also provides links to the appropriate principle(s) (that is, the WebTrust for Certification Authorities principles) and other relevant information




• Access the list of entities that have received a WebTrust seal; the list is maintained by the seal manager at www.webtrust.org/abtseals.htm [1]. A CA is registered on this list when the seal is issued

WebTrust Principal 1

WebTrust for Certification Authorities Principles

To be understandable to the ultimate users—the subscriber and relying party—the following principles have been developed with the relying party in mind, and, as a result, are intended to be practical and non-technical in nature.

Principle 1: CA Business Practices Disclosure

• The first principle is—The certification authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices.




• The CA must disclose its key and certificate life cycle management business and information privacy practices. Information regarding the CA’s business practices should be made available to all subscribers and all potential relying parties, typically by posting on its Web site. Such disclosure may be contained in a certificate policy [CP], certification practice statement [CPS], or other informative materials that are available to users (subscribers and relying parties).

WebTrust Principle 2

Service Integrity

The second principle is—The certification authority maintains effective controls to provide reasonable assurance that:

• Subscriber information was properly authenticated (for the registration activities performed by ABC-CA).




• The integrity of keys and certificates it manages is established and protected throughout their life cycles.

Effective key management controls and practices are essential to the trustworthiness of the public key infrastructure. Cryptographic key management controls and practices cover CA key generation; CA key storage, backup, and recovery; CA public key distribution (especially when done in the form of self-signed “root” certificates); CA key escrow (optional); CA key usage; CA key destruction; CA key archival; the management of CA cryptographic hardware through its life cycle; and CA-provided subscriber key management services (optional). Strong key life cycle management controls are vital to guard against key compromise that can damage the integrity of the public key infrastructure.

The user certificate life cycle is at the core of the services provided by the CA. The CA establishes its standards and practices by which it will deliver services in its published CPS and CPs. The user certificate life cycle includes the following:

• Registration (that is, the identification and authentication process related to binding the individual subscriber to the certificate)




• The renewal of certificates (optional)




• The rekey of certificates




• The revocation of certificates




• The suspension of certificates (optional)




• The timely publication of certificate status information (through certificate revocation lists or some form of online certificate status protocol)




• The management of integrated circuit cards (ICCs) holding private keys through their life cycle (optional)

Effective controls over the registration process are essential, as poor identification and authentication controls jeopardize the ability of subscribers and relying parties to rely on the certificates issued by the CA. Effective revocation procedures and timely publication of certificate status information are also essential elements, as it is critical for subscribers and relying parties to know when they are unable to rely on certificates that have been issued by the CA.

WebTrust Principle 3

CA Environmental Controls

The third principle is—The certification authority maintains effective controls to provide reasonable assurance that:

• Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA’s business practices disclosure




• The continuity of key and certificate life cycle management operations is maintained




• CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity

The establishment and maintenance of a trustworthy CA environment is essential to the reliability of the CA’s business processes. Without strong CA environmental controls, strong key and certificate life cycle management controls are severely diminished in value. CA environmental controls include CPS and CP management, security management, asset classification and management, personnel security, physical and environmental security of the CA facility, operations management, system access management, systems development and maintenance, business continuity management, monitoring and compliance, and event journaling.

WebTrust for Certification Authorities Criteria

To provide more specific guidance on meeting the WebTrust for Certification Authorities principles, the WebTrust for Certification Authorities criteria have been developed. These provide a basis against which a CA can make a self-assessment of its conformity with the criteria, and a consistent set of measurement criteria for practitioners to use in testing and evaluating CA practices.

The WebTrust for Certification Authorities criteria are presented under the three principles listed above (Principle 1, CA Business Practices Disclosure; Principle 2, Service Integrity, including key and certificate life cycle management controls; and Principle 3, CA Environmental Controls.

Each principle contains a series of criteria that the CA’s management asserts it has achieved. Depending on the scope of services provided by the CA, a number of the criteria may not be applicable. Criteria considered optional, depending on whether the CA provides the related services, are key escrow, certificate renewal, certificate suspension, the use of integrated circuit cards (ICCs), and the provision of subscriber key management services. If any of these services are provided by the CA, the criteria are applicable and must be tested by the practitioner. If any of these services are not provided by the CA, the criteria are not applicable and no modification of the standard report is necessary. In some situations, some RA services may be performed by another party that is not controlled by the CA, and therefore those activities are not included in the examination of the CA. In these circumstances the standard report should be modified to specify the exclusion of the specific RA activities from the scope of the examination.

This may be accomplished by reference to the CA’s business practice disclosures in which the CA specifies which RA activities it does not control. In all instances some RA activities will be performed by the CA and should be tested by the practitioner for compliance with the controls disclosed under Principle 1 and the criteria specified in Principle 2. In performing a WebTrust for Certification Authorities engagement, the practitioner must gain an understanding of the CA’s business model and services provided to determine which control criteria may not be applicable. For each of the disclosure and control criteria, there is a detailed list of illustrative disclosures and control procedures that might be followed by the CA to meet the related criteria. The illustrative disclosures and controls do not necessarily need to be in place for a criterion to be met in a given business circumstance and alternatives may be sufficient.

The CA Business Practices Disclosure criteria were derived primarily from the Internet Engineering Task Force’s (IETF) Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices FrameworkRequest For Comments Draft (RFC 2527), which has been incorporated into Annex A of the draft ANSI X9.79 standard. For specific key and certificate life cycle management (Principle 2) and CA environmental illustrative controls (Principle 3), in which the CA’s implemented controls may vary depending on the CA’s business practices, such illustrative controls refer to specifically required CA business practices disclosures included in Principle 1 [2].