WebTrust for Certification Authorities (CAs) Overview October 2011

1. WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based on documentation from KPMG

2. Outline • WebTrust for CAs – Introduction • WebTrust for CAs – Benefits • WebTrust for CAs Principles and Criteria • Summary of WebTrust for CAs Criteria Topics • Typical Audit Process • Typical Participants in the Audit Process • Recent Developments

3. WebTrust for CAs - Introduction • AICPA/CICA WebTrust Program for Certification Authorities provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs). • Typically an annual examination covering 12 months of activity. The initial examination often covers a shorter period such as 3 months. • WebTrust for CAs seal of assurance is a symbolic representation of an unqualified report issued to the CA. • Versions of WebTrust for CAs v 1.0, released in 2000 and v 2.0, released in 2011. • WebTrust for Certification Authorities – NAESB Validation is a supplemental audit to assess compliance with specific requirements issued by NAESB WEQ.

4. WebTrust for CAs - Benefits • Framework allows for communication to auditors, customers, business partners, and potential customers. • Provides assurance for Certificate Authorities that the CA’s business practices and controls are in line with AICPA/CICA WebTrust Principles and Criteria for CA’s. • Can address the needs of relying parties including enterprise and individual customers, regulatory bodies, communities of trust (e.g., Federal Bridge PKI), technology vendors (e.g., Microsoft, Mozilla, Google), and others. • Principles and Criteria for CAs are aligned with the X9.79 PKI Practices and Policy Framework standard. • Principles and Criteria for CAs (in version 2.0) are also aligned with the ISO 21188 PKI Policy and Practices framework . • The framework is based on a baseline set of CA requirements combined with any defined requirements for the community (which can be incorporated into the CA’s CPS or another community requirements document).

5. WebTrust for CAs Principles and Criteria The WebTrust for CAs program includes the principles listed below. Underlying each principle, there are a series of supporting criteria to which the CA has to conform. • CA Business Practice Disclosure (CP/CPS) • The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices. • Service Integrity • Subscriber information was properly authenticated (for the registration activities performed by ABC-CA) and • The integrity of keys and certificates it manages is established and protected throughout their life cycles. • CA Environmental Controls • Subscriber and relying party information is restricted and protected • Continuity of key and certificate management operations is maintained • CA systems development, maintenance and operation are properly authorized and performed to maintain CA systems integrity

6. Summary of WebTrust for CAs Criteria Topics

7. Typical Audit Process The audit process typically includes the following phases: • Planning – Define the overall audit schedule, provide documentation request list, provide meeting request list, review CP/CPS and other policies/procedures before onsite fieldwork • Fieldwork – Conduct meetings with key individuals, observe processes, inspect configurations, gather audit evidence (refer to Appendix 1 for examples of audit focus areas). • Offsite Analysis – Analysis of information gathered during and post fieldwork • Reporting – Preparation of the audit report

8. Typical Audit Process (continued) Other information: • Fieldwork generally requires 1 – 4 weeks of effort depending on the size and complexity of the CA infrastructure. • For a relatively simple CA environment, the duration of the audit process from planning to final report issuance is approximately 2-4 months. • The cost of a WebTrust for CAs examination can range from $50,000 to $250,000 or more depending on the complexity of the environment (i.e., number of CAs, number of CP/CPS documents, etc.). • Where the CA has not previously completed a formal audit, it is recommended that they first complete a “readiness review” so that any issues can be identified and corrected before the first formal audit.

9. Typical Participants in the Audit Process • Involvement typically includes: • Participation in interviews to discuss CA processes • Responding to requests for documented policies/procedures, lists of events occurring during the period, and supporting evidence for a sample of events selected by the auditor Personnel responsible for: • Security management • Personnel • Physical security • IT operations (e.g., network and system security, monitoring, change management) • CA business continuity management • CA key management operations • Registration authority activities • Level of involvement: • Typically the CA assigns an audit coordinator who spends 25 – 50% of their time coordinating meetings and the gathering of audit evidence during the fieldwork phase of the audit. • Other individuals are typically involved for a small portion of focused time.

10. Recent Developments • Trust Service Principles and Criteria for Certification Authorities Version 2.0 • The AICPA/CICA WebTrust for Certification Authorities task force led the development of an update to the WebTrust for CAs standard which is effective July 1, 2011 • Version 2.0 aligned with ISO 21188 Public Key Infrastructure policy and practices framework • Supersedes WebTrust for CAs Principles, v1.0 • Additional reporting templates included for other types of CAs (e.g., Federal Bridge CA)

11. Reference Documents • GlobalSignWebTrust Link. https://cert.webtrust.org/ViewSeal? • WebTrust Principles and Criteria Link http://www.webtrust.org/principles-and-criteria/item27818.pdf • Federal Bridge Certificate Policy linkhttp://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf