Principles and Criteria

Notice: Release 1 New and Updated Versions of WebTrust for
Certification Authorities Principles and Criteria

The WebTrust/PKI Assurance Task Force has released

  • Version 2.3 of WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – replacing Version 2.2. It is effective for audit periods commencing 1 February 2018.
  • Version 2.1 of WebTrust for Certification Authorities replacing Version 2.0. It is effective for audit periods commencing November 1, 2017.
  • Version 1.6.2 of WebTrust for Certification Authorities –Extended Validation – SSL replacing Version 1.6.0. It is effective for audit periods commencing November 1, 2017.
  • Version 1.4.1 of WebTrust for Certification Authorities –Extended Validation – Code Signing replacing Version 1.4.0. It is effective for audit periods commencing November 1, 2017.

Significant Changes

Version 2.3 of WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security

Updated SSL Baseline Audit Criteria to conform to SSL Baseline Requirements v1.5.4 and Network and Certificate System Security Requirements v1.1

  • Principle 1, Criterion 6 – Require CAs to disclose their CAA Records policy in their CPS
  • Principle 2, Criterion 2.14 – Clarified the requirement for Root and Subordinate CA Subject Information
  • Principle 2, Criterion 4.1 – Updated that domain validation must be completed prior to issuance (instead as of the time of issuance), and that the CA maintains a record of the domain validation method (and associated BR version number) used.
  • Principle 2, Criterion 4.6 – Revised age of data from 39 months to 825 days for certificates issued on or after 1 March 2018, and updated to reflect re-use of previously completed validations
  • Principle 2, Criterion 4.10 and 4.11 – New criteria added to address CAA Records processing requirements.
  • Principle 2, Criterion 4.12 and 4.13 – Renumbered from 4.10 and 4.11.
  • Principle 2, Criterion 8.3 – Updated that this criterion is only effective for certificates issued before 11 August 2017
  • Principle 4 – Updates made to conform to CA/B Forum Ballot 210

Version 2.1 of WebTrust for Certification Authorities

  • Updated introduction section, including clarifying definitions for Root CA, Intermediate/Issuing CA, and Subordinate CA, and adding explanation of a Bridge CA structure.
  • Removed references to WebTrust v1 for Business Practices Disclosures. All CP and CPS documents must now be structured in accordance with RFC 3647 (recommended) or RFC 2527.
  • Updated the following criteria:
  • Criteria 1.1 and 1.2 – removed WebTrust v1 references
  • Criteria 2.1 and 2.2 – swapped order to be consistent with 1.1 and 1.2
  • Criterion 3.6 – Expanded scope to specifically address hypervisors and network devices
  • Criterion 3.7 – Expanded scope to specifically address system patching and change management activities
  • Criterion 3.8 – Clarified scope to include requirement for backups of CA information and data to be taken at regular intervals in accordance with the CA’s disclosed business practices.
  • Criterion 4.5 – Split into two criterion (4.5 and 4.6), subsequent criteria renumbered
  • Criterion 4.6 – Clarified scope to include destruction of any copies of CA keys for any purpose, and added illustrative controls addressing formal key destruction ceremonies.
  • Criterion 4.10 – New criterion added to address CA Key Transportation events
  • Criterion 4.11 – New criterion added to address CA Key Migration events
  • Criterion 6.1 – Streamlined criteria, minor updates to illustrative controls
  • Criterion 7.1 – Updated to address cross certificate requests.

Version 1.6.2 of WebTrust for Certification Authorities  - Extended Validation - SSL

Updated EV SSL Audit Criteria to conform to EV SSL Guidelines v1.6.2 and other clarifications, including the following

  • Principle 2, Criterion 2.2.3 – Updated maximum EV certificate lifetime to 825 days
  • Principle 2, Criterion 4.13 – Codified the requirements regarding the CA’s responsibility for verifying the accuracy of QIISs used for verification.

Version 1.6.2 of WebTrust for Certification Authorities  - Extended Validation - SSL

  • Removed Principle 2, Criterion 5.12 as it was not auditable

Notice: Release 2 - Practitioners Guidance – Illustrative Reports

The WebTrust/PKI Assurance Task Force has prepared Illustrative Guidance for licensed WebTrust practitioners for the preparation of WebTrust audit reports under Canadian, US and International audit standards. This new material can be downloaded from the tab “Practitioner Qualification and Guidance Guidance”.

Audit Applicability Matrix

WebTrust for Certification Authorities - Audit Applicability Matrix
The WebTrust for Certification Authorities – Audit Applicability Matrix provides information about the relevant audit requirements based on current CA/Browser Forum and other requirements. In addition, it provides a summary of the current versions of the various applicable WebTrust for Certification Authorities audit schemes. (Updated to October 23, 2017)

WebTrust Principles and Criteria for Certification Authorities

Framework for third party assurance providers to assess the adequacy and effectiveness of the Controls employed by Certification Authorities (CAs)

Principles and Criteria for Certification Authorities 2.0
Principles and Criteria for Certification Authorities 2.1

Framework for third party assurance providers for Extended Validation Certificates

• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.6.2

• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.6
Version 1.6 is effective for audit periods commencing on or after January 1, 2017.  For audit periods commencing prior to January 1, 2017, please use version 1.4.5.

• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5

Framework for third party assurance providers relating to SSL Certificates

WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.3
Version 2.3 is effective for audit periods commencing on or after February 1, 2018.  For audit periods commencing prior to January 31, 2018, please use Version 2.2. incorporates the CA/Browser requirements for the issuance and Management of Publicly-Trusted Certificates and Network and Certificate System Security requirements.  (See Appendices A, B, C and D in the Principles and Criteria document for more information). 
Version 2.3 (and Versions 2.2 and 2.0)  incorporate two CA/Browser Forum requirements documents:

  • Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (“SSL Baseline Requirements”); and
  • Network and Certificate System Security Requirements (“Network Security Requirements”).

The SSL Baseline Requirements are addressed in Principles 1, 2, and 3 of these audit criteria. The Network Security Requirements are addressed in Principle 4 of these audit criteria.

Framework for third party assurance providers relating to code signing