Presentation is loading. Please wait.

Presentation is loading. Please wait.

WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff

Published byCatherine Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff"— Presentation transcript:

1 WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff Stapletonjstapleton@kpmg.com617-988-6312

2 June 2000PKI Forum1 Agenda Overview of Organizations & Standards Overview of CA Trust Question & Answer

3 June 2000PKI Forum2 AICPA / CICA AICPA: American Institute of Certified Public Accounts (CPA) CICA: Canadian Institute of Chartered Accountants -------------------------------------------------------------- Electronic Commerce Assurance Service Task Force WebTrust family: –WebTrust, ISP Trust, CA Trust, & SysTrust (no seal) –NOT a SAS 70, adaptation of the Statement on Standards for Attestation Engagements (SSAE) No. 1

4 June 2000PKI Forum3 X9.79 / CA Trust X9F5 working group (established 1998) X9.79 PKI Practices and Policy Framework –Annex B: Certification Authority Control Objectives –currently in X9 ballot --------------------------------------------------------------- Electronic Commerce Assurance Service Task Force WebTrust Principles and Criteria for Certification Authorities (CA Trust) –completed public exposure, final in July 200

5 June 2000PKI Forum4 CA Control Objectives FIPS 140-1 ANSIstandardsISOstandards ABA-ISCPAGIETFPKIX-4 BS7799 NACHACARAT X9.79CA Trust “audit language”

6 June 2000PKI Forum5 CA Trust Organization and statistics: 3 principles Business Practices Disclosure –45 required disclosures Service Integrity –33 criteria and 182 illustrative controls CA Environmental Controls –28 criteria and 165 illustrative controls 30 topics (5 optional), 392 disclosures and controls

7 June 2000PKI Forum6 CA Trust PRINCIPLE 1: CA Business Practices Disclosure - The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices. 45 required disclosures

8 June 2000PKI Forum7 CA Trust PRINCIPLE 1: CA Business Practices Disclosure - –General Disclosures –Key Life Cycle Management –Certificate Life Cycle Management –CA Environmental Controls

9 June 2000PKI Forum8 CA Trust PRINCIPLE 2: Service Integrity - The Certification Authority maintains effective controls to provide reasonable assurance that: –Subscriber information was properly authenticated (for the registration activities performed by CA). –The integrity of keys and certificates it manages is established and protected throughout their life cycles. Key Life Cycle Management Controls Certificate Life Cycle Controls 33 criteria and 182 illustrative controls

10 June 2000PKI Forum9 CA Trust PRINCIPLE 2: Service Integrity - Key Life Cycle Management Controls: –CA Key Generation –CA Key Storage, Backup and Recovery –CA Public Key Distribution –CA Key Escrow (optional) –CA Key Usage –CA Key Destruction –CA Key Archival –CA Cryptographic Hardware –Subscriber Key Management Services (optional)

11 June 2000PKI Forum10 CA Trust PRINCIPLE 2: Service Integrity - Certificate Life Cycle Controls: –Subscriber Registration –Certificate Renewal (optional) –Certificate Rekey –Certificate Issuance –Certificate Distribution –Certificate Revocation –Certificate Suspension (optional) –CRL Processing (negative & positive validation) –Smart Card (optional)

12 June 2000PKI Forum11 CA Trust PRINCIPLE 3: CA Environmental Controls - The Certification Authority maintains effective controls to provide reasonable assurance that: –Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure. –The continuity of key and certificate life cycle management operations is maintained. –CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity. 28 criteria and 165 illustrative controls

13 June 2000PKI Forum12 CA Trust PRINCIPLE 3: CA Environmental Controls - –CPS and CP Management –Security Management –Asset Classification and Management –Personnel Security –Physical and Environmental Security –Operations Management –System Access Management –Systems Development and Maintenance –Business Continuity Management –Monitoring and Compliance –Event Journaling

14 June 2000PKI Forum13 CA Trust Other sections of CA Trust: PKI Overview WebTrust Overview Example reports - Annexes Cross reference with X9.79

15 June 2000PKI Forum14 CA Trust Effort 300 400 250 150 100

16 June 2000PKI Forum15 CA Trust Questions?

Download ppt "WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff"

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.

National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.
Other Assurance & Attestation Services By David N. Ricchiute

Other Assurance & Attestation Services By David N. Ricchiute
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic.

Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Similar presentations

Ads by Google