1

WebTrust for Certification Authorities (CAs) Overview

October 2011

WebTrust for Certification Authorities (CAs) Overview

October 2011

Presentation based on documentation from KPMG

2

OutlineOutline

WebTrust for CAs – Introduction

WebTrust for CAs – Benefits

WebTrust for CAs Principles and Criteria

Summary of WebTrust for CAs Criteria Topics

Typical Audit Process

Typical Participants in the Audit Process

Recent Developments

WebTrust for CAs – Introduction

WebTrust for CAs – Benefits

WebTrust for CAs Principles and Criteria

Summary of WebTrust for CAs Criteria Topics

Typical Audit Process

Typical Participants in the Audit Process

Recent Developments

3

WebTrust for CAs - IntroductionWebTrust for CAs - Introduction

AICPA/CICA WebTrust Program for Certification Authorities provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs).

Typically an annual examination covering 12 months of activity. The initial examination often covers a shorter period such as 3 months.

WebTrust for CAs seal of assurance is a symbolic representation of an unqualified report issued to the CA.

Versions of WebTrust for CAs v 1.0, released in 2000 and v 2.0, released in 2011.

WebTrust for Certification Authorities – NAESB Validation is a supplemental audit to assess compliance with specific requirements issued by NAESB WEQ.

AICPA/CICA WebTrust Program for Certification Authorities provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs).

Typically an annual examination covering 12 months of activity. The initial examination often covers a shorter period such as 3 months.

WebTrust for CAs seal of assurance is a symbolic representation of an unqualified report issued to the CA.

Versions of WebTrust for CAs v 1.0, released in 2000 and v 2.0, released in 2011.

WebTrust for Certification Authorities – NAESB Validation is a supplemental audit to assess compliance with specific requirements issued by NAESB WEQ.

4

WebTrust for CAs - BenefitsWebTrust for CAs - Benefits

Framework allows for communication to auditors, customers, business partners, and potential customers.

Provides assurance for Certificate Authorities that the CA’s business practices and controls are in line with AICPA/CICA WebTrust Principles and Criteria for CA’s.

Can address the needs of relying parties including enterprise and individual customers, regulatory bodies, communities of trust (e.g., Federal Bridge PKI), technology vendors (e.g., Microsoft, Mozilla, Google), and others.

Principles and Criteria for CAs are aligned with the X9.79 PKI Practices and Policy Framework standard.

Principles and Criteria for CAs (in version 2.0) are also aligned with the ISO 21188 PKI Policy and Practices framework .

The framework is based on a baseline set of CA requirements combined with any defined requirements for the community (which can be incorporated into the CA’s CPS or another community requirements document).

Framework allows for communication to auditors, customers, business partners, and potential customers.

Provides assurance for Certificate Authorities that the CA’s business practices and controls are in line with AICPA/CICA WebTrust Principles and Criteria for CA’s.

Can address the needs of relying parties including enterprise and individual customers, regulatory bodies, communities of trust (e.g., Federal Bridge PKI), technology vendors (e.g., Microsoft, Mozilla, Google), and others.

Principles and Criteria for CAs are aligned with the X9.79 PKI Practices and Policy Framework standard.

Principles and Criteria for CAs (in version 2.0) are also aligned with the ISO 21188 PKI Policy and Practices framework .

The framework is based on a baseline set of CA requirements combined with any defined requirements for the community (which can be incorporated into the CA’s CPS or another community requirements document).

5

WebTrust for CAs Principles and CriteriaWebTrust for CAs Principles and Criteria

The WebTrust for CAs program includes the principles listed below. Underlying each principle, there are a series of supporting criteria to which the CA has to conform.1. CA Business Practice Disclosure (CP/CPS)

The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices.

2. Service IntegritySubscriber information was properly authenticated (for the registration activities performed by ABC-CA) andThe integrity of keys and certificates it manages is established and protected throughout their life cycles.

3. CA Environmental ControlsSubscriber and relying party information is restricted and protected Continuity of key and certificate management operations is maintained CA systems development, maintenance and operation are properly authorized and performed to maintain CA systems integrity

The WebTrust for CAs program includes the principles listed below. Underlying each principle, there are a series of supporting criteria to which the CA has to conform.1. CA Business Practice Disclosure (CP/CPS)

The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices.

2. Service IntegritySubscriber information was properly authenticated (for the registration activities performed by ABC-CA) andThe integrity of keys and certificates it manages is established and protected throughout their life cycles.

3. CA Environmental ControlsSubscriber and relying party information is restricted and protected Continuity of key and certificate management operations is maintained CA systems development, maintenance and operation are properly authorized and performed to maintain CA systems integrity

6

Summary of WebTrust for CAs Criteria TopicsSummary of WebTrust for CAs Criteria Topics

CA BUSINESS PRACTICES DISCLOSURE (CP/CPS)

CA ENVIRONMENTAL CONTROLS

CA KEY MANAGEMENT CERTIFICATE LIFE CYCLE MANAGEMENT

• CP/CPS Management• Security Management• Asset Classification and

Management• Personnel Security• Physical and Environmental

Security• Operations Management• System Access

Management• Systems Development and

Maintenance• Business Continuity

Management• Monitoring and Compliance• Event Journaling

• CA Key Generation• CA Key Storage Backup and

Recovery• CA Key Escrow (optional)• CA Key Usage• CA Key Archival• CA Key Destruction• CA Cryptographic Device

Life Cycle Management• CA-Provided Subscriber Key

Management Services (optional)

• Subscriber Registration• Certificate Rekey/ Renewal

Certificate Issuance• Certificate Distribution• Certificate Revocation• Certificate Suspension

(optional)• Certificate Status

Information Processing• Integrated Circuit Card Life

Cycle Management (optional)

7

Typical Audit ProcessTypical Audit Process

The audit process typically includes the following phases:

Planning – Define the overall audit schedule, provide documentation request list, provide meeting request list, review CP/CPS and other policies/procedures before onsite fieldwork

Fieldwork – Conduct meetings with key individuals, observe processes, inspect configurations, gather audit evidence (refer to Appendix 1 for examples of audit focus areas).

Offsite Analysis – Analysis of information gathered during and post fieldwork

Reporting – Preparation of the audit report

The audit process typically includes the following phases:

Planning – Define the overall audit schedule, provide documentation request list, provide meeting request list, review CP/CPS and other policies/procedures before onsite fieldwork

Fieldwork – Conduct meetings with key individuals, observe processes, inspect configurations, gather audit evidence (refer to Appendix 1 for examples of audit focus areas).

Offsite Analysis – Analysis of information gathered during and post fieldwork

Reporting – Preparation of the audit report

8

Typical Audit Process (continued)Typical Audit Process (continued)

Other information:

Fieldwork generally requires 1 – 4 weeks of effort depending on the size and complexity of the CA infrastructure.

For a relatively simple CA environment, the duration of the audit process from planning to final report issuance is approximately 2-4 months.

The cost of a WebTrust for CAs examination can range from $50,000 to $250,000 or more depending on the complexity of the environment (i.e., number of CAs, number of CP/CPS documents, etc.).

Where the CA has not previously completed a formal audit, it is recommended that they first complete a “readiness review” so that any issues can be identified and corrected before the first formal audit.

Other information:

Fieldwork generally requires 1 – 4 weeks of effort depending on the size and complexity of the CA infrastructure.

For a relatively simple CA environment, the duration of the audit process from planning to final report issuance is approximately 2-4 months.

The cost of a WebTrust for CAs examination can range from $50,000 to $250,000 or more depending on the complexity of the environment (i.e., number of CAs, number of CP/CPS documents, etc.).

Where the CA has not previously completed a formal audit, it is recommended that they first complete a “readiness review” so that any issues can be identified and corrected before the first formal audit.

9

Typical Participants in the Audit ProcessTypical Participants in the Audit Process

Personnel responsible for:• Security management• Personnel• Physical security• IT operations (e.g., network and

system security, monitoring, change management)

• CA business continuity management

• CA key management operations• Registration authority activities

Personnel responsible for:• Security management• Personnel• Physical security• IT operations (e.g., network and

system security, monitoring, change management)

• CA business continuity management

• CA key management operations• Registration authority activities

Involvement typically includes:• Participation in interviews to discuss

CA processes• Responding to requests for

documented policies/procedures, lists of events occurring during the period, and supporting evidence for a sample of events selected by the auditor

Level of involvement:• Typically the CA assigns an audit

coordinator who spends 25 – 50% of their time coordinating meetings and the gathering of audit evidence during the fieldwork phase of the audit.

• Other individuals are typically involved for a small portion of focused time.

10

Recent DevelopmentsRecent Developments

Trust Service Principles and Criteria for Certification Authorities Version 2.0

The AICPA/CICA WebTrust for Certification Authorities task force led the development of an update to the WebTrust for CAs standard which is effective July 1, 2011

Version 2.0 aligned with ISO 21188 Public Key Infrastructure policy and practices framework

Supersedes WebTrust for CAs Principles, v1.0

Additional reporting templates included for other types of CAs (e.g., Federal Bridge CA)

Trust Service Principles and Criteria for Certification Authorities Version 2.0

The AICPA/CICA WebTrust for Certification Authorities task force led the development of an update to the WebTrust for CAs standard which is effective July 1, 2011

Version 2.0 aligned with ISO 21188 Public Key Infrastructure policy and practices framework

Supersedes WebTrust for CAs Principles, v1.0

Additional reporting templates included for other types of CAs (e.g., Federal Bridge CA)

11

Reference DocumentsReference Documents

GlobalSign WebTrust Link. https://cert.webtrust.org/ViewSeal?

WebTrust Principles and Criteria Link http://www.webtrust.org/principles-and-criteria/item27818.pdf

Federal Bridge Certificate Policy linkhttp://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf

GlobalSign WebTrust Link. https://cert.webtrust.org/ViewSeal?

WebTrust Principles and Criteria Link http://www.webtrust.org/principles-and-criteria/item27818.pdf

Federal Bridge Certificate Policy linkhttp://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf