WebTrust Program for Certification Authorities
PROGRAM FOR CERTIFICATION AUTHORITIES
This document provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs), the importance of which will continue to increase as the need for third-party authentication increases to provide assurance with respect to e-commerce business activities. As a result of the technical nature of the activities involved in securing of e-commerce transactions, this document also provides a brief overview of public key infrastructure (PKI) using cryptography, trusted third-party concepts, and their increasing use in e-commerce.
Confidentiality, authentication, integrity, and nonrepudiation are the four most important ingredients required for trust in e-commerce transactions. The emerging response to these requirements is the implementation of PKI technology. PKI utilizes digital certificates and asymmetric cryptography to address these requirements.
PKI provides a means for relying parties (meaning, recipients of certificates who act in reliance on those certificates and/or digital signatures verified using those certificates) to know that another individual's or entity's public key actually belongs to that individual/entity. CA organizations and/or CA functions acting as trusted third parties have been established to address this need. PKI uses public/private-key pairs—two mathematically related keys. One of these keys is typically made public, by posting it in a publicly accessible read-only repository for example, while the other remains private. Public-key cryptography works in such a way that a message encrypted with the public key can only be decrypted with the private key, and conversely a message signed with a private key can be verified with the public key. This technology can be used in different ways to provide confidentiality, authentication, integrity, and nonrepudiation.
Cryptography is critical to establishing secure e-commerce. However, it has to be coupled with other secure protocols in order to provide a comprehensive security solution. Several cryptographic protocols require an independent trusted third party (the CA) to authenticate the transaction. CAs have assumed an increasingly important role in secure e-commerce. Although there is a large body of existing national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied uniformly.
To increase consumer confidence in the Internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of PKI technology, the public accounting profession has developed and is promoting a set of principles and criteria for CAs, referred to as the AICPA/CICA WebTrust Program for Certification Authorities. Public accounting firms and practitioners, who are specifically licensed by the AICPA/CICA can provide assurance services to evaluate and test whether the services provided by a particular Certification Authority meet these principles and criteria. The posting of the AICPA/CICA WebTrust Seal of assurance is a symbolic representation of a practitioner's unqualified report. This seal would be displayed on the CA's Web site together with links to the practitioner's report and other relevant information.
This is an initial version of the AICPA/CICA WebTrust Program for Certification Authorities. It is intended to address user (meaning, subscriber and relying party) needs and concerns and is designed to benefit users and providers of CA e-commerce assurance services by providing a common body of knowledge that is communicated to such parties. We anticipate that future revisions will be needed to update these criteria and related materials as the available technology and common business practices evolve.
The AICPA/CICA WebTrust Program for Certification Authorities is consistent with standards being developed by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF).1
To begin downloading the guide, click on the item below with the right-hand mouse button. Choose the "Save Target As" option if using a Microsoft browser. (If using a Netscape browser, choose "Save Link As.") Then, save the file to the appropriate location.
Principles and Criteria for Certification Authorities
- Principles and Criteria for Certification Authorities 1.0 (August 2000)
- Principles and Criteria for Certification Authorities 2.0 (Supersedes WebTrust for Certification Authorities Version 1.0)
Principles and Criteria for Certification Authorities – Extended Validation Audit Criteria
- Principles and Criteria for Certification Authorities – Extended Validation Audit Criteria 1.3
- Principles and Criteria for Certification Authorities – Extended Validation Audit Criteria 1.4
- Principles and Criteria for Certification Authorities – Extended Validation Audit Criteria 1.4 (amended)
SSL Baseline Requirements Audit Criteria
- SSL Baseline Requirements Audit Criteria V1.0
- SSL Baseline Requirements Audit Criteria V1.1
- SSL Baseline Requirements Audit Criteria V1.1 (amended)
1 The ANSI X9F5 Digital Signature and Certificate Policy working group is developing the X9.79 PKI Practices and Policy Framework (X9.79) standard for the financial services community. This standard includes detailed Certification Authority Control Objectives against which Certification Authorities may be evaluated. An International Organization for Standardization (ISO) working group has been formed to standardize X9.79 based on international requirements in a new international standard. In addition, the American Bar Association's Information Security Committee (ABA-ISC) is developing the PKI Assessment Guidelines (PAG) which address the legal and technical requirements for Certification Authorities. The PAG makes reference to the Certification Authority Control Objectives that are detailed in the draft X9.79 standard and reflected in the WebTrust Program for Certification Authorities. The Certification Authority Control Objectives referred to in each of these documents were developed based on the existing body of ANSI, ISO, IETF, and other existing standards.