The American Institute of Certified Public Accountants [AICPA] & Chartered Accountants of Canada [CICA] WebTrust Standard for the ownership and operation of a Trusted Third Party Certificate Authority [CA]

CA Environmental Controls

The third principle is—The certification authority maintains effective controls to provide reasonable assurance that:

Service Integrity

The second principle is—The certification authority maintains effective controls to provide reasonable assurance that:

WebTrust for Certification Authorities Principles

To be understandable to the ultimate users—the subscriber and relying party—the following principles have been developed with the relying party in mind, and, as a result, are intended to be practical and non-technical in nature.

Principle 1: CA Business Practices Disclosure

To verify whether the seal displayed on a CA's Web site is authentic, the customer can:

The WebTrust seal of assurance for the CA will be managed by a seal manager along the following lines:

Obtaining the WebTrust Seal

To obtain the WebTrust seal of assurance, the CA must meet all the WebTrust for Certification Authorities principles as measured by the WebTrust for Certification Authorities criteria associated with each of these principles. In addition, the entity must engage a practitioner to provide the WebTrust service, and obtain an unqualified report from such practitioner.

Keeping the WebTrust Seal

Once the seal is obtained, the CA will be able to continue displaying it on its Web site provided the following are performed:

Comparison of a WebTrust for Certification Authorities Examination With Service Auditor Reports:

Professional standards currently exist for auditors to report on controls of third-party service providers (a service auditor’s engagement). Guidance for these engagements is set out in the Statement on Auditing Standards [SAS] No. 70 [SAS-70], Service Organizations, as amended.

WebTrust for Certification Authorities engagement differs from a service auditor’s engagement in a number of ways, including the following:

The CA’s management will make assertions along the following lines:

Management has assessed the controls over its CA operations. Based on that assessment, in ABC Certification Authority, Inc. (ABC-CA) Management’s opinion, in providing its certification authority (CA) services at [location], ABC-CA, during the period from [Month, day, year] through [Month, day, year]:

Introducing WebTrust

For compliance reasons, certain CA systems must prepare and document a complete set of WebTrust policies and procedures. Trusted Third Party [TTP] Certificate Authority [CA] (also known as 'Trust Centre') organisations and specific Government projects are two examples where WebTrust policies and procedures may be required in advance of conducting the WebTrust Audit.

There are typically three phases of the WebTrust implementation and these are sub divided and described in the following sub sections: