AICPA/CICA
WEBTRUST SM/TM
PROGRAM FOR CERTIFICATION AUTHORITIES
VERSION 1.0
This document provides a framework for licensed WebTrust practitioners
to assess the adequacy and effectiveness of the controls employed by Certification
Authorities (CAs), the importance of which will continue to increase as
the need for third-party authentication increases to provide assurance
with respect to e-commerce business activities. As a result of the technical
nature of the activities involved in securing of e-commerce transactions,
this document also provides a brief overview of public key infrastructure
(PKI) using cryptography, trusted third-party concepts, and their increasing
use in e-commerce.
Confidentiality, authentication, integrity, and nonrepudiation are the four
most important ingredients required for trust in e-commerce transactions.
The emerging response to these requirements is the implementation of PKI
technology. PKI utilizes digital certificates and asymmetric cryptography
to address these requirements.
PKI provides a means for relying parties (meaning, recipients of certificates
who act in reliance on those certificates and/or digital signatures verified
using those certificates) to know that another individual's or entity's
public key actually belongs to that individual/entity. CA organizations
and/or CA functions acting as trusted third parties have been established
to address this need. PKI uses public/private-key pairs—two mathematically
related keys. One of these keys is typically made public, by posting it
in a publicly accessible read-only repository for example, while the other
remains private. Public-key cryptography works in such a way that a message
encrypted with the public key can only be decrypted with the private key,
and conversely a message signed with a private key can be verified with
the public key. This technology can be used in different ways to provide
confidentiality, authentication, integrity, and nonrepudiation.
Cryptography is critical to establishing secure e-commerce. However, it has
to be coupled with other secure protocols in order to provide a comprehensive
security solution. Several cryptographic protocols require an independent
trusted third party (the CA) to authenticate the transaction. CAs have
assumed an increasingly important role in secure e-commerce. Although
there is a large body of existing national, international, and proprietary
standards and guidelines for the use of cryptography, the management of
digital certificates, and the policies and practices of CAs, these standards
have not been applied uniformly.
To increase consumer confidence in the Internet as a vehicle for conducting
e-commerce and to increase consumer confidence in the application of PKI
technology, the public accounting profession has developed and is promoting
a set of principles and criteria for CAs, referred to as the AICPA/CICA
WebTrust Program for Certification Authorities. Public accounting
firms and practitioners, who are specifically licensed by the AICPA/CICA
can provide assurance services to evaluate and test whether the services
provided by a particular Certification Authority meet these principles
and criteria. The posting of the AICPA/CICA WebTrust Seal
of assurance is a symbolic representation of a practitioner's unqualified
report. This seal would be displayed on the CA's Web site together with
links to the practitioner's report and other relevant information.
This is an initial version of the AICPA/CICA WebTrust Program for Certification
Authorities. It is intended to address user (meaning, subscriber
and relying party) needs and concerns and is designed to benefit users
and providers of CA e-commerce assurance services by providing a common
body of knowledge that is communicated to such parties. We anticipate
that future revisions will be needed to update these criteria and related
materials as the available technology and common business practices evolve.
The AICPA/CICA WebTrust Program for Certification Authorities is
consistent with standards being developed by the American National Standards
Institute (ANSI) and the Internet Engineering Task Force (IETF).1
To begin downloading the guide, click on the item below with the right-hand
mouse button. Choose the "Save Target As" option if using a Microsoft
browser. (If using a Netscape browser, choose "Save Link As.") Then, save
the file to the appropriate location.
Download the Guide
1 The ANSI X9F5 Digital Signature and Certificate Policy working
group is developing the X9.79 PKI Practices and Policy Framework
(X9.79) standard for the financial services community. This standard includes
detailed Certification Authority Control Objectives against which Certification
Authorities may be evaluated. An International Organization for Standardization
(ISO) working group has been formed to standardize X9.79 based on international
requirements in a new international standard. In addition, the American
Bar Association's Information Security Committee (ABA-ISC) is developing
the PKI Assessment Guidelines (PAG) which address the legal and
technical requirements for Certification Authorities. The PAG makes reference
to the Certification Authority Control Objectives that are detailed in
the draft X9.79 standard and reflected in the WebTrust Program for
Certification Authorities. The Certification Authority Control Objectives
referred to in each of these documents were developed based on the existing
body of ANSI, ISO, IETF, and other existing standards.
