Advanced Search
Home

WebTrust

The American Institute of Certified Public Accountants [AICPA] & Chartered Accountants of Canada [CICA] WebTrust Standard for the ownership and operation of a Trusted Third Party Certificate Authority [CA]

WebTrust Principle 3

CA Environmental Controls

The third principle is—The certification authority maintains effective controls to provide reasonable assurance that:

  • Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA’s business practices disclosure


  • The continuity of key and certificate life cycle management operations is maintained


  • CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity

WebTrust Principle 2

Service Integrity

The second principle is—The certification authority maintains effective controls to provide reasonable assurance that:

  • Subscriber information was properly authenticated (for the registration activities performed by ABC-CA).


  • The integrity of keys and certificates it manages is established and protected throughout their life cycles.

WebTrust Principal 1

WebTrust for Certification Authorities Principles

To be understandable to the ultimate users—the subscriber and relying party—the following principles have been developed with the relying party in mind, and, as a result, are intended to be practical and non-technical in nature.

Principle 1: CA Business Practices Disclosure

WebTrust Seal Authentication



To verify whether the seal displayed on a CA's Web site is authentic, the customer can:

  • Click on the seal, which links the customer through a secure connection to a WebTrust seal verification page hosted by the seal manager. It identifies the CA and confirms that the CA is entitled to display the WebTrust seal. It also provides links to the appropriate principle(s) (that is, the WebTrust for Certification Authorities principles) and other relevant information

WebTrust Seal Management



The WebTrust seal of assurance for the CA will be managed by a seal manager along the following lines:

  • Upon becoming a WebTrust licensee, the WebTrust practitioner obtains a registration number (ID and password) from the WebTrust licensing authority. With this the practitioner can issue a WebTrust seal to the CA.

WebTrust Seal

Obtaining the WebTrust Seal

To obtain the WebTrust seal of assurance, the CA must meet all the WebTrust for Certification Authorities principles as measured by the WebTrust for Certification Authorities criteria associated with each of these principles. In addition, the entity must engage a practitioner to provide the WebTrust service, and obtain an unqualified report from such practitioner.

Keeping the WebTrust Seal

Once the seal is obtained, the CA will be able to continue displaying it on its Web site provided the following are performed:

Comparison with Service Auditor Reports


Comparison of a WebTrust for Certification Authorities Examination With Service Auditor Reports:

Professional standards currently exist for auditors to report on controls of third-party service providers (a service auditor’s engagement). Guidance for these engagements is set out in the Statement on Auditing Standards [SAS] No. 70 [SAS-70], Service Organizations, as amended.

WebTrust for Certification Authorities engagement differs from a service auditor’s engagement in a number of ways, including the following:

WebTrust Assurance Process


The CA’s management will make assertions along the following lines:

Management has assessed the controls over its CA operations. Based on that assessment, in ABC Certification Authority, Inc. (ABC-CA) Management’s opinion, in providing its certification authority (CA) services at [location], ABC-CA, during the period from [Month, day, year] through [Month, day, year]:

  • Disclosed its key and certificate life cycle management business and information privacy practices and provided such services in accordance with its disclosed practices

WebTrust

Introducing WebTrust

For compliance reasons, certain CA systems must prepare and document a complete set of WebTrust policies and procedures. Trusted Third Party [TTP] Certificate Authority [CA] (also known as 'Trust Centre') organisations and specific Government projects are two examples where WebTrust policies and procedures may be required in advance of conducting the WebTrust Audit.

There are typically three phases of the WebTrust implementation and these are sub divided and described in the following sub sections:

  • Ireland, Dublin
    +353 (1) 685-3680