Principles and Criteria

Audit Applicability Matrix

WebTrust for Certification Authorities - Audit Applicability Matrix
The WebTrust for Certification Authorities – Audit Applicability Matrix provides information about the relevant audit requirements based on current CA/Browser Forum and other requirements. In addition, it provides a summary of the current versions of the various applicable WebTrust for Certification Authorities audit schemes. (Updated February 1, 2017)

WebTrust Principles and Criteria for Certification Authorities

Framework for third party assurance providers to assess the adequacy and effectiveness of the Controls employed by Certification Authorities (CAs)

Principles and Criteria for Certification Authorities 2.0

Framework for third party assurance providers for Extended Validation Certificates

• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.6
Version 1.6 is effective for audit periods commencing on or after January 1, 2017.  For audit periods commencing prior to January 1, 2017, please use version 1.4.5.

• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5

Framework for third party assurance providers relating to SSL Certificates

• WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.2
Version 2.2 is effective for audit periods commencing on or after December 1, 2016.  For audit periods commencing prior to January 1, 2017, please use ßVersion 2.2 (and Version 2.0) incorporates the CA/Browser requirements for the issuance and Management of Publicly-Trusted Certificates and Network and Certificate System Security requirements.  (See Appendices A, B, C and D in the Principles and Criteria document for more information). 
Version 2.2 (and Version 2.0)  incorporate two CA/Browser Forum requirements documents:

  • Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (“SSL Baseline Requirements”); and
  • Network and Certificate System Security Requirements (“Network Security Requirements”).
The SSL Baseline Requirements are addressed in Principles 1, 2, and 3 of these audit criteria. The Network Security Requirements are addressed in Principle 4 of these audit criteria.

Framework for third party assurance providers relating to code signing