View
212
Download
0
Category
Preview:
Citation preview
WebTrust SM/TM
Principles and Criteriafor
Certification Authorities
CA TrustCA TrustCA TrustCA TrustJeff Stapleton jstapleton@kpmg.com 617-988-6312
June 2000 PKI Forum 2
Agenda
• Overview of Organizations & Standards
• Overview of CA Trust
• Question & Answer
June 2000 PKI Forum 3
AICPA / CICA
AICPA: American Institute of Certified Public Accounts (CPA)
CICA: Canadian Institute of Chartered Accountants
--------------------------------------------------------------
Electronic Commerce Assurance Service Task Force • WebTrust family:
– WebTrust, ISP Trust, CA Trust, & SysTrust (no seal)
– NOT a SAS 70, adaptation of the Statement on Standards for Attestation Engagements (SSAE) No. 1
June 2000 PKI Forum 4
X9.79 / CA Trust
X9F5 working group (established 1998)• X9.79 PKI Practices and Policy Framework
– Annex B: Certification Authority Control Objectives– currently in X9 ballot
---------------------------------------------------------------
Electronic Commerce Assurance Service Task Force• WebTrust Principles and Criteria for Certification
Authorities (CA Trust)– completed public exposure, final in July 200
June 2000 PKI Forum 5
CA Control Objectives
FIPS 140-1FIPS 140-1
ANSIANSIstandardsstandards
ISOISOstandardsstandards
ABA-ISCABA-ISCPAGPAG
IETFIETFPKIX-4PKIX-4
BS7799BS7799
NACHANACHACARATCARAT
X9.79CA Trust
“audit language”
June 2000 PKI Forum 6
CA Trust
Organization and statistics:• 3 principles
Business Practices Disclosure– 45 required disclosures
Service Integrity– 33 criteria and 182 illustrative controls
CA Environmental Controls– 28 criteria and 165 illustrative controls
• 30 topics (5 optional), 392 disclosures and controls
June 2000 PKI Forum 7
CA Trust
• PRINCIPLE 1: CA Business Practices Disclosure - The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices.
• 45 required disclosures
June 2000 PKI Forum 8
CA Trust
• PRINCIPLE 1: CA Business Practices Disclosure - – General Disclosures
– Key Life Cycle Management
– Certificate Life Cycle Management
– CA Environmental Controls
June 2000 PKI Forum 9
CA Trust
• PRINCIPLE 2: Service Integrity - The Certification Authority maintains effective controls to provide reasonable assurance that:
– Subscriber information was properly authenticated (for the registration activities performed by CA).
– The integrity of keys and certificates it manages is established and protected throughout their life cycles.
• Key Life Cycle Management Controls• Certificate Life Cycle Controls• 33 criteria and 182 illustrative controls
June 2000 PKI Forum 10
CA Trust
• PRINCIPLE 2: Service Integrity -
Key Life Cycle Management Controls:– CA Key Generation – CA Key Storage, Backup and Recovery – CA Public Key Distribution – CA Key Escrow (optional)– CA Key Usage – CA Key Destruction – CA Key Archival– CA Cryptographic Hardware – Subscriber Key Management Services (optional)
June 2000 PKI Forum 11
CA Trust
• PRINCIPLE 2: Service Integrity -
Certificate Life Cycle Controls:– Subscriber Registration – Certificate Renewal (optional)– Certificate Rekey – Certificate Issuance – Certificate Distribution – Certificate Revocation – Certificate Suspension (optional)– CRL Processing (negative & positive validation)– Smart Card (optional)
June 2000 PKI Forum 12
CA Trust
• PRINCIPLE 3: CA Environmental Controls - The Certification Authority maintains effective controls to provide reasonable assurance that:– Subscriber and relying party information is restricted to authorized
individuals and protected from uses not specified in the CA's business practices disclosure.
– The continuity of key and certificate life cycle management operations is maintained.
– CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity.
• 28 criteria and 165 illustrative controls
June 2000 PKI Forum 13
CA Trust
• PRINCIPLE 3: CA Environmental Controls - – CPS and CP Management – Security Management – Asset Classification and Management – Personnel Security – Physical and Environmental Security – Operations Management – System Access Management – Systems Development and Maintenance – Business Continuity Management – Monitoring and Compliance– Event Journaling
June 2000 PKI Forum 14
CA Trust
Other sections of CA Trust:• PKI Overview• WebTrust Overview• Example reports - Annexes• Cross reference with X9.79
June 2000 PKI Forum 15
CA Trust Effort
250
350
500
400
200
050
100150200250
300350400
450500
Average Hours
PKI DiagnosticSAS 70 Type ISAS 70 Type IIWebTrust for CAsWT for CAs (addl CA)
300
400
250
150
100
June 2000 PKI Forum 16
CA Trust
Questions?
Recommended