WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff

Slides:



Advertisements
Similar presentations
Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Advertisements

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Additional Assurance Services: Other Information
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 20 Additional Assurance Services: Other Information
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.
Other Assurance & Attestation Services By David N. Ricchiute
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
PUBLIC KEY INFRASTRUTURE Don Sheehy
PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002.
The Demand for Audit and Other Assurance Services Chapter 1.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Service Organization Control (SOC) Reporting Options and Information
Best Practices Working Group June 19-21, 2001 Munich, Germany.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Chapter Three IT Risks and Controls.
1 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
+1 (801) Standards for Registration Practices Statements IGTF Considerations.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Secure e-Business Chartered Accountants of Canada Comptables agréés du Canada Overview of WebTrust TM.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden.
1 Topic# 7 – Auditing with Technology Readings, Chapter 10 A – COMPUTERIZED AUDIT TOOLS –Electronic Spreadsheets –Automated Working Papers –Generalized.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The Demand for Audit and Other Assurance Services Chapter 1.
PKI Policy Determination Process Input from PKI Decision Process PKI Policy Determination Process Application(s) Workflows Players.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
QuoVadis Group Overview for EUGridPMA. Snapshot Trust/Link certificate services for the global enterprise –Digital certificates including End User, Qualified,
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Other Assurance Services Chapter 25.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
The Demand for Audit and Other Assurance Services
The Demand for Audit and Other Assurance Services
Session 11 Other Assurance Services
Service Organization Control (SOC)
Chapter 20 Additional Assurance Services: Other Information
Other Assurance Services
Other Assurance Services
جايگاه گواهی ديجيتالی در ايران
Chapter 20 Additional Assurance Services: Other Information
Presentation transcript:

WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff

June 2000PKI Forum1 Agenda Overview of Organizations & Standards Overview of CA Trust Question & Answer

June 2000PKI Forum2 AICPA / CICA AICPA: American Institute of Certified Public Accounts (CPA) CICA: Canadian Institute of Chartered Accountants Electronic Commerce Assurance Service Task Force WebTrust family: –WebTrust, ISP Trust, CA Trust, & SysTrust (no seal) –NOT a SAS 70, adaptation of the Statement on Standards for Attestation Engagements (SSAE) No. 1

June 2000PKI Forum3 X9.79 / CA Trust X9F5 working group (established 1998) X9.79 PKI Practices and Policy Framework –Annex B: Certification Authority Control Objectives –currently in X9 ballot Electronic Commerce Assurance Service Task Force WebTrust Principles and Criteria for Certification Authorities (CA Trust) –completed public exposure, final in July 200

June 2000PKI Forum4 CA Control Objectives FIPS ANSIstandardsISOstandards ABA-ISCPAGIETFPKIX-4 BS7799 NACHACARAT X9.79CA Trust “audit language”

June 2000PKI Forum5 CA Trust Organization and statistics: 3 principles Business Practices Disclosure –45 required disclosures Service Integrity –33 criteria and 182 illustrative controls CA Environmental Controls –28 criteria and 165 illustrative controls 30 topics (5 optional), 392 disclosures and controls

June 2000PKI Forum6 CA Trust PRINCIPLE 1: CA Business Practices Disclosure - The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices. 45 required disclosures

June 2000PKI Forum7 CA Trust PRINCIPLE 1: CA Business Practices Disclosure - –General Disclosures –Key Life Cycle Management –Certificate Life Cycle Management –CA Environmental Controls

June 2000PKI Forum8 CA Trust PRINCIPLE 2: Service Integrity - The Certification Authority maintains effective controls to provide reasonable assurance that: –Subscriber information was properly authenticated (for the registration activities performed by CA). –The integrity of keys and certificates it manages is established and protected throughout their life cycles. Key Life Cycle Management Controls Certificate Life Cycle Controls 33 criteria and 182 illustrative controls

June 2000PKI Forum9 CA Trust PRINCIPLE 2: Service Integrity - Key Life Cycle Management Controls: –CA Key Generation –CA Key Storage, Backup and Recovery –CA Public Key Distribution –CA Key Escrow (optional) –CA Key Usage –CA Key Destruction –CA Key Archival –CA Cryptographic Hardware –Subscriber Key Management Services (optional)

June 2000PKI Forum10 CA Trust PRINCIPLE 2: Service Integrity - Certificate Life Cycle Controls: –Subscriber Registration –Certificate Renewal (optional) –Certificate Rekey –Certificate Issuance –Certificate Distribution –Certificate Revocation –Certificate Suspension (optional) –CRL Processing (negative & positive validation) –Smart Card (optional)

June 2000PKI Forum11 CA Trust PRINCIPLE 3: CA Environmental Controls - The Certification Authority maintains effective controls to provide reasonable assurance that: –Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure. –The continuity of key and certificate life cycle management operations is maintained. –CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity. 28 criteria and 165 illustrative controls

June 2000PKI Forum12 CA Trust PRINCIPLE 3: CA Environmental Controls - –CPS and CP Management –Security Management –Asset Classification and Management –Personnel Security –Physical and Environmental Security –Operations Management –System Access Management –Systems Development and Maintenance –Business Continuity Management –Monitoring and Compliance –Event Journaling

June 2000PKI Forum13 CA Trust Other sections of CA Trust: PKI Overview WebTrust Overview Example reports - Annexes Cross reference with X9.79

June 2000PKI Forum14 CA Trust Effort

June 2000PKI Forum15 CA Trust Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.