1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based on documentation from KPMG

2 Outline WebTrust for CAs – Introduction WebTrust for CAs – Benefits WebTrust for CAs Principles and Criteria Summary of WebTrust for CAs Criteria Topics Typical Audit Process Typical Participants in the Audit Process Recent Developments WebTrust for CAs – Introduction WebTrust for CAs – Benefits WebTrust for CAs Principles and Criteria Summary of WebTrust for CAs Criteria Topics Typical Audit Process Typical Participants in the Audit Process Recent Developments

3 WebTrust for CAs - Introduction AICPA/CICA WebTrust Program for Certification Authorities provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs). Typically an annual examination covering 12 months of activity. The initial examination often covers a shorter period such as 3 months. WebTrust for CAs seal of assurance is a symbolic representation of an unqualified report issued to the CA. Versions of WebTrust for CAs v 1.0, released in 2000 and v 2.0, released in WebTrust for Certification Authorities – NAESB Validation is a supplemental audit to assess compliance with specific requirements issued by NAESB WEQ. AICPA/CICA WebTrust Program for Certification Authorities provides a framework for licensed WebTrust practitioners to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs). Typically an annual examination covering 12 months of activity. The initial examination often covers a shorter period such as 3 months. WebTrust for CAs seal of assurance is a symbolic representation of an unqualified report issued to the CA. Versions of WebTrust for CAs v 1.0, released in 2000 and v 2.0, released in WebTrust for Certification Authorities – NAESB Validation is a supplemental audit to assess compliance with specific requirements issued by NAESB WEQ.

4 WebTrust for CAs - Benefits Framework allows for communication to auditors, customers, business partners, and potential customers. Provides assurance for Certificate Authorities that the CA’s business practices and controls are in line with AICPA/CICA WebTrust Principles and Criteria for CA’s. Can address the needs of relying parties including enterprise and individual customers, regulatory bodies, communities of trust (e.g., Federal Bridge PKI), technology vendors (e.g., Microsoft, Mozilla, Google), and others. Principles and Criteria for CAs are aligned with the X9.79 PKI Practices and Policy Framework standard. Principles and Criteria for CAs (in version 2.0) are also aligned with the ISO PKI Policy and Practices framework. The framework is based on a baseline set of CA requirements combined with any defined requirements for the community (which can be incorporated into the CA’s CPS or another community requirements document). Framework allows for communication to auditors, customers, business partners, and potential customers. Provides assurance for Certificate Authorities that the CA’s business practices and controls are in line with AICPA/CICA WebTrust Principles and Criteria for CA’s. Can address the needs of relying parties including enterprise and individual customers, regulatory bodies, communities of trust (e.g., Federal Bridge PKI), technology vendors (e.g., Microsoft, Mozilla, Google), and others. Principles and Criteria for CAs are aligned with the X9.79 PKI Practices and Policy Framework standard. Principles and Criteria for CAs (in version 2.0) are also aligned with the ISO PKI Policy and Practices framework. The framework is based on a baseline set of CA requirements combined with any defined requirements for the community (which can be incorporated into the CA’s CPS or another community requirements document).

5 WebTrust for CAs Principles and Criteria The WebTrust for CAs program includes the principles listed below. Underlying each principle, there are a series of supporting criteria to which the CA has to conform. 1.CA Business Practice Disclosure (CP/CPS) The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices. 2.Service Integrity Subscriber information was properly authenticated (for the registration activities performed by ABC-CA) and The integrity of keys and certificates it manages is established and protected throughout their life cycles. 3.CA Environmental Controls Subscriber and relying party information is restricted and protected Continuity of key and certificate management operations is maintained CA systems development, maintenance and operation are properly authorized and performed to maintain CA systems integrity The WebTrust for CAs program includes the principles listed below. Underlying each principle, there are a series of supporting criteria to which the CA has to conform. 1.CA Business Practice Disclosure (CP/CPS) The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices. 2.Service Integrity Subscriber information was properly authenticated (for the registration activities performed by ABC-CA) and The integrity of keys and certificates it manages is established and protected throughout their life cycles. 3.CA Environmental Controls Subscriber and relying party information is restricted and protected Continuity of key and certificate management operations is maintained CA systems development, maintenance and operation are properly authorized and performed to maintain CA systems integrity

6 Summary of WebTrust for CAs Criteria Topics CA BUSINESS PRACTICES DISCLOSURE (CP/CPS) CA ENVIRONMENTAL CONTROLS CA KEY MANAGEMENTCERTIFICATE LIFE CYCLE MANAGEMENT CP/CPS Management Security Management Asset Classification and Management Personnel Security Physical and Environmental Security Operations Management System Access Management Systems Development and Maintenance Business Continuity Management Monitoring and Compliance Event Journaling CA Key Generation CA Key Storage Backup and Recovery CA Key Escrow (optional) CA Key Usage CA Key Archival CA Key Destruction CA Cryptographic Device Life Cycle Management CA-Provided Subscriber Key Management Services (optional) Subscriber Registration Certificate Rekey/ Renewal Certificate Issuance Certificate Distribution Certificate Revocation Certificate Suspension (optional) Certificate Status Information Processing Integrated Circuit Card Life Cycle Management (optional)

7 Typical Audit Process The audit process typically includes the following phases: Planning – Define the overall audit schedule, provide documentation request list, provide meeting request list, review CP/CPS and other policies/procedures before onsite fieldwork Fieldwork – Conduct meetings with key individuals, observe processes, inspect configurations, gather audit evidence (refer to Appendix 1 for examples of audit focus areas). Offsite Analysis – Analysis of information gathered during and post fieldwork Reporting – Preparation of the audit report The audit process typically includes the following phases: Planning – Define the overall audit schedule, provide documentation request list, provide meeting request list, review CP/CPS and other policies/procedures before onsite fieldwork Fieldwork – Conduct meetings with key individuals, observe processes, inspect configurations, gather audit evidence (refer to Appendix 1 for examples of audit focus areas). Offsite Analysis – Analysis of information gathered during and post fieldwork Reporting – Preparation of the audit report

8 Typical Audit Process (continued) Other information: Fieldwork generally requires 1 – 4 weeks of effort depending on the size and complexity of the CA infrastructure. For a relatively simple CA environment, the duration of the audit process from planning to final report issuance is approximately 2-4 months. The cost of a WebTrust for CAs examination can range from $50,000 to $250,000 or more depending on the complexity of the environment (i.e., number of CAs, number of CP/CPS documents, etc.). Where the CA has not previously completed a formal audit, it is recommended that they first complete a “readiness review” so that any issues can be identified and corrected before the first formal audit. Other information: Fieldwork generally requires 1 – 4 weeks of effort depending on the size and complexity of the CA infrastructure. For a relatively simple CA environment, the duration of the audit process from planning to final report issuance is approximately 2-4 months. The cost of a WebTrust for CAs examination can range from $50,000 to $250,000 or more depending on the complexity of the environment (i.e., number of CAs, number of CP/CPS documents, etc.). Where the CA has not previously completed a formal audit, it is recommended that they first complete a “readiness review” so that any issues can be identified and corrected before the first formal audit.

9 Typical Participants in the Audit Process Personnel responsible for: Security management Personnel Physical security IT operations (e.g., network and system security, monitoring, change management) CA business continuity management CA key management operations Registration authority activities Personnel responsible for: Security management Personnel Physical security IT operations (e.g., network and system security, monitoring, change management) CA business continuity management CA key management operations Registration authority activities Involvement typically includes: Participation in interviews to discuss CA processes Responding to requests for documented policies/procedures, lists of events occurring during the period, and supporting evidence for a sample of events selected by the auditor Level of involvement: Typically the CA assigns an audit coordinator who spends 25 – 50% of their time coordinating meetings and the gathering of audit evidence during the fieldwork phase of the audit. Other individuals are typically involved for a small portion of focused time.

10 Recent Developments Trust Service Principles and Criteria for Certification Authorities Version 2.0 The AICPA/CICA WebTrust for Certification Authorities task force led the development of an update to the WebTrust for CAs standard which is effective July 1, 2011 Version 2.0 aligned with ISO Public Key Infrastructure policy and practices framework Supersedes WebTrust for CAs Principles, v1.0 Additional reporting templates included for other types of CAs (e.g., Federal Bridge CA) Trust Service Principles and Criteria for Certification Authorities Version 2.0 The AICPA/CICA WebTrust for Certification Authorities task force led the development of an update to the WebTrust for CAs standard which is effective July 1, 2011 Version 2.0 aligned with ISO Public Key Infrastructure policy and practices framework Supersedes WebTrust for CAs Principles, v1.0 Additional reporting templates included for other types of CAs (e.g., Federal Bridge CA)

11 Reference Documents GlobalSign WebTrust Link. WebTrust Principles and Criteria Link Federal Bridge Certificate Policy link pdf pdf GlobalSign WebTrust Link. WebTrust Principles and Criteria Link Federal Bridge Certificate Policy link pdf pdf