1 webtrust for certification authorities (cas) overview october 2011 webtrust for certification...
TRANSCRIPT
![Page 1: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/1.jpg)
1
WebTrust for Certification Authorities (CAs) Overview
October 2011
WebTrust for Certification Authorities (CAs) Overview
October 2011
Presentation based on documentation from KPMG
![Page 2: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/2.jpg)
2
OutlineOutline
WebTrust for CAs – Introduction
WebTrust for CAs – Benefits
WebTrust for CAs Principles and Criteria
Summary of WebTrust for CAs Criteria Topics
Typical Audit Process
Typical Participants in the Audit Process
Recent Developments
WebTrust for CAs – Introduction
WebTrust for CAs – Benefits
WebTrust for CAs Principles and Criteria
Summary of WebTrust for CAs Criteria Topics
Typical Audit Process
Typical Participants in the Audit Process
Recent Developments
![Page 3: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/3.jpg)
3
WebTrust for CAs - IntroductionWebTrust for CAs - Introduction
AICPA/CICA WebTrust Program for Certification Authorities provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs).
Typically an annual examination covering 12 months of activity. The initial examination often covers a shorter period such as 3 months.
WebTrust for CAs seal of assurance is a symbolic representation of an unqualified report issued to the CA.
Versions of WebTrust for CAs v 1.0, released in 2000 and v 2.0, released in 2011.
WebTrust for Certification Authorities – NAESB Validation is a supplemental audit to assess compliance with specific requirements issued by NAESB WEQ.
AICPA/CICA WebTrust Program for Certification Authorities provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs).
Typically an annual examination covering 12 months of activity. The initial examination often covers a shorter period such as 3 months.
WebTrust for CAs seal of assurance is a symbolic representation of an unqualified report issued to the CA.
Versions of WebTrust for CAs v 1.0, released in 2000 and v 2.0, released in 2011.
WebTrust for Certification Authorities – NAESB Validation is a supplemental audit to assess compliance with specific requirements issued by NAESB WEQ.
![Page 4: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/4.jpg)
4
WebTrust for CAs - BenefitsWebTrust for CAs - Benefits
Framework allows for communication to auditors, customers, business partners, and potential customers.
Provides assurance for Certificate Authorities that the CA’s business practices and controls are in line with AICPA/CICA WebTrust Principles and Criteria for CA’s.
Can address the needs of relying parties including enterprise and individual customers, regulatory bodies, communities of trust (e.g., Federal Bridge PKI), technology vendors (e.g., Microsoft, Mozilla, Google), and others.
Principles and Criteria for CAs are aligned with the X9.79 PKI Practices and Policy Framework standard.
Principles and Criteria for CAs (in version 2.0) are also aligned with the ISO 21188 PKI Policy and Practices framework .
The framework is based on a baseline set of CA requirements combined with any defined requirements for the community (which can be incorporated into the CA’s CPS or another community requirements document).
Framework allows for communication to auditors, customers, business partners, and potential customers.
Provides assurance for Certificate Authorities that the CA’s business practices and controls are in line with AICPA/CICA WebTrust Principles and Criteria for CA’s.
Can address the needs of relying parties including enterprise and individual customers, regulatory bodies, communities of trust (e.g., Federal Bridge PKI), technology vendors (e.g., Microsoft, Mozilla, Google), and others.
Principles and Criteria for CAs are aligned with the X9.79 PKI Practices and Policy Framework standard.
Principles and Criteria for CAs (in version 2.0) are also aligned with the ISO 21188 PKI Policy and Practices framework .
The framework is based on a baseline set of CA requirements combined with any defined requirements for the community (which can be incorporated into the CA’s CPS or another community requirements document).
![Page 5: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/5.jpg)
5
WebTrust for CAs Principles and CriteriaWebTrust for CAs Principles and Criteria
The WebTrust for CAs program includes the principles listed below. Underlying each principle, there are a series of supporting criteria to which the CA has to conform.1. CA Business Practice Disclosure (CP/CPS)
The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices.
2. Service IntegritySubscriber information was properly authenticated (for the registration activities performed by ABC-CA) andThe integrity of keys and certificates it manages is established and protected throughout their life cycles.
3. CA Environmental ControlsSubscriber and relying party information is restricted and protected Continuity of key and certificate management operations is maintained CA systems development, maintenance and operation are properly authorized and performed to maintain CA systems integrity
The WebTrust for CAs program includes the principles listed below. Underlying each principle, there are a series of supporting criteria to which the CA has to conform.1. CA Business Practice Disclosure (CP/CPS)
The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices.
2. Service IntegritySubscriber information was properly authenticated (for the registration activities performed by ABC-CA) andThe integrity of keys and certificates it manages is established and protected throughout their life cycles.
3. CA Environmental ControlsSubscriber and relying party information is restricted and protected Continuity of key and certificate management operations is maintained CA systems development, maintenance and operation are properly authorized and performed to maintain CA systems integrity
![Page 6: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/6.jpg)
6
Summary of WebTrust for CAs Criteria TopicsSummary of WebTrust for CAs Criteria Topics
CA BUSINESS PRACTICES DISCLOSURE (CP/CPS)
CA ENVIRONMENTAL CONTROLS
CA KEY MANAGEMENT CERTIFICATE LIFE CYCLE MANAGEMENT
• CP/CPS Management• Security Management• Asset Classification and
Management• Personnel Security• Physical and Environmental
Security• Operations Management• System Access
Management• Systems Development and
Maintenance• Business Continuity
Management• Monitoring and Compliance• Event Journaling
• CA Key Generation• CA Key Storage Backup and
Recovery• CA Key Escrow (optional)• CA Key Usage• CA Key Archival• CA Key Destruction• CA Cryptographic Device
Life Cycle Management• CA-Provided Subscriber Key
Management Services (optional)
• Subscriber Registration• Certificate Rekey/ Renewal
Certificate Issuance• Certificate Distribution• Certificate Revocation• Certificate Suspension
(optional)• Certificate Status
Information Processing• Integrated Circuit Card Life
Cycle Management (optional)
![Page 7: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/7.jpg)
7
Typical Audit ProcessTypical Audit Process
The audit process typically includes the following phases:
Planning – Define the overall audit schedule, provide documentation request list, provide meeting request list, review CP/CPS and other policies/procedures before onsite fieldwork
Fieldwork – Conduct meetings with key individuals, observe processes, inspect configurations, gather audit evidence (refer to Appendix 1 for examples of audit focus areas).
Offsite Analysis – Analysis of information gathered during and post fieldwork
Reporting – Preparation of the audit report
The audit process typically includes the following phases:
Planning – Define the overall audit schedule, provide documentation request list, provide meeting request list, review CP/CPS and other policies/procedures before onsite fieldwork
Fieldwork – Conduct meetings with key individuals, observe processes, inspect configurations, gather audit evidence (refer to Appendix 1 for examples of audit focus areas).
Offsite Analysis – Analysis of information gathered during and post fieldwork
Reporting – Preparation of the audit report
![Page 8: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/8.jpg)
8
Typical Audit Process (continued)Typical Audit Process (continued)
Other information:
Fieldwork generally requires 1 – 4 weeks of effort depending on the size and complexity of the CA infrastructure.
For a relatively simple CA environment, the duration of the audit process from planning to final report issuance is approximately 2-4 months.
The cost of a WebTrust for CAs examination can range from $50,000 to $250,000 or more depending on the complexity of the environment (i.e., number of CAs, number of CP/CPS documents, etc.).
Where the CA has not previously completed a formal audit, it is recommended that they first complete a “readiness review” so that any issues can be identified and corrected before the first formal audit.
Other information:
Fieldwork generally requires 1 – 4 weeks of effort depending on the size and complexity of the CA infrastructure.
For a relatively simple CA environment, the duration of the audit process from planning to final report issuance is approximately 2-4 months.
The cost of a WebTrust for CAs examination can range from $50,000 to $250,000 or more depending on the complexity of the environment (i.e., number of CAs, number of CP/CPS documents, etc.).
Where the CA has not previously completed a formal audit, it is recommended that they first complete a “readiness review” so that any issues can be identified and corrected before the first formal audit.
![Page 9: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/9.jpg)
9
Typical Participants in the Audit ProcessTypical Participants in the Audit Process
Personnel responsible for:• Security management• Personnel• Physical security• IT operations (e.g., network and
system security, monitoring, change management)
• CA business continuity management
• CA key management operations• Registration authority activities
Personnel responsible for:• Security management• Personnel• Physical security• IT operations (e.g., network and
system security, monitoring, change management)
• CA business continuity management
• CA key management operations• Registration authority activities
Involvement typically includes:• Participation in interviews to discuss
CA processes• Responding to requests for
documented policies/procedures, lists of events occurring during the period, and supporting evidence for a sample of events selected by the auditor
Level of involvement:• Typically the CA assigns an audit
coordinator who spends 25 – 50% of their time coordinating meetings and the gathering of audit evidence during the fieldwork phase of the audit.
• Other individuals are typically involved for a small portion of focused time.
![Page 10: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/10.jpg)
10
Recent DevelopmentsRecent Developments
Trust Service Principles and Criteria for Certification Authorities Version 2.0
The AICPA/CICA WebTrust for Certification Authorities task force led the development of an update to the WebTrust for CAs standard which is effective July 1, 2011
Version 2.0 aligned with ISO 21188 Public Key Infrastructure policy and practices framework
Supersedes WebTrust for CAs Principles, v1.0
Additional reporting templates included for other types of CAs (e.g., Federal Bridge CA)
Trust Service Principles and Criteria for Certification Authorities Version 2.0
The AICPA/CICA WebTrust for Certification Authorities task force led the development of an update to the WebTrust for CAs standard which is effective July 1, 2011
Version 2.0 aligned with ISO 21188 Public Key Infrastructure policy and practices framework
Supersedes WebTrust for CAs Principles, v1.0
Additional reporting templates included for other types of CAs (e.g., Federal Bridge CA)
![Page 11: 1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based](https://reader036.vdocument.in/reader036/viewer/2022082709/56649cc45503460f9498e079/html5/thumbnails/11.jpg)
11
Reference DocumentsReference Documents
GlobalSign WebTrust Link. https://cert.webtrust.org/ViewSeal?
WebTrust Principles and Criteria Link http://www.webtrust.org/principles-and-criteria/item27818.pdf
Federal Bridge Certificate Policy linkhttp://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf
GlobalSign WebTrust Link. https://cert.webtrust.org/ViewSeal?
WebTrust Principles and Criteria Link http://www.webtrust.org/principles-and-criteria/item27818.pdf
Federal Bridge Certificate Policy linkhttp://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf