Principles and Criteria

Audit Applicability Matrix

WebTrust for Certification Authorities - Audit Applicability Matrix
The WebTrust for Certification Authorities – Audit Applicability Matrix provides information about the relevant audit requirements based on current CA/Browser Forum and other requirements. In addition, it provides a summary of the current versions of the various applicable WebTrust for Certification Authorities audit schemes.

WebTrust Principles and Criteria for Certification Authorities

Framework for third party assurance providers to assess the adequacy and effectiveness of the Controls employed by Certification Authorities (CAs)

Principles and Criteria for Certification Authorities 2.0

Framework for third party assurance providers for Extended Validation Certificates

WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5
Notes from Last Update: Effective upon release on April 3, 2014, Version 1.4.5 of the WebTrust Principles and Criteria for Extended Validation SSL incorporates changes to criteria to reflect updates made by CA/B Forum. In 2011, the Forum released its Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (“Baseline Requirements”). Subsequently, the CA/B Forum approved several updates, with the latest edition being Version 1.1.6. The Forum’s EV SSL Guidelines and these EV SSL Criteria, at times makes reference to the Baseline Requirements and many guidelines which used to be previously detailed in the Forum’s EV SSL Guidelines are now incorporated by reference to the Baseline Requirements. To facilitate the EV SSL Audit, however, these requirements continued to be detailed in the WebTrust EV SSL Criteria.

Framework for third party assurance providers relating to SSL Certificates

WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.1
Effective for audit periods starting on or after December 1, 2016.
Version 2.1 incorporates the CA/Browser requirements for the issuance and Management of Publicly-Trusted Certificates and Network and Certificate System Security requirements.  (See Appendices A, B, C and D in the Principles and Criteria document for more information). 
Version 2.1 incorporate two CA/Browser Forum requirements documents:

  • Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (“SSL Baseline Requirements”); and
  • Network and Certificate System Security Requirements (“Network Security Requirements”)

The SSL Baseline Requirements are addressed in Principles 1, 2, and 3 of these audit criteria. The Network Security Requirements are addressed in Principle 4 of these audit criteria.
For audit periods starting prior to December 1, 2016, please continue to use WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2

Framework for third party assurance providers relating to code signing

Principles and Criteria for Certification Authorities – Extended Validation Code Signing 
Notes from last update : Effective for audits starting on or after July 1, 2014, the WebTrust Principles and Criteria for Certification Authorities – Extended Validation Code Signing (“EV Code Signing Criteria”) document establishes criteria to be used by auditors as a basis for an EV Code Signing audit. These Principles and Criteria are based on the CA/B Forum’s “Guidelines for the Issuance and Management of Extended Validation Code Signing Certificates”.