WebTrust SM/TM

Principles and Criteriafor

Certification Authorities

CA TrustCA TrustCA TrustCA TrustJeff Stapleton jstapleton@kpmg.com 617-988-6312

June 2000 PKI Forum 2

Agenda

• Overview of Organizations & Standards

• Overview of CA Trust

• Question & Answer

June 2000 PKI Forum 3

AICPA / CICA

AICPA: American Institute of Certified Public Accounts (CPA)

CICA: Canadian Institute of Chartered Accountants

--------------------------------------------------------------

Electronic Commerce Assurance Service Task Force • WebTrust family:

– WebTrust, ISP Trust, CA Trust, & SysTrust (no seal)

– NOT a SAS 70, adaptation of the Statement on Standards for Attestation Engagements (SSAE) No. 1

June 2000 PKI Forum 4

X9.79 / CA Trust

X9F5 working group (established 1998)• X9.79 PKI Practices and Policy Framework

– Annex B: Certification Authority Control Objectives– currently in X9 ballot

---------------------------------------------------------------

Electronic Commerce Assurance Service Task Force• WebTrust Principles and Criteria for Certification

Authorities (CA Trust)– completed public exposure, final in July 200

June 2000 PKI Forum 5

CA Control Objectives

FIPS 140-1FIPS 140-1

ANSIANSIstandardsstandards

ISOISOstandardsstandards

ABA-ISCABA-ISCPAGPAG

IETFIETFPKIX-4PKIX-4

BS7799BS7799

NACHANACHACARATCARAT

X9.79CA Trust

“audit language”

June 2000 PKI Forum 6

CA Trust

Organization and statistics:• 3 principles

Business Practices Disclosure– 45 required disclosures

Service Integrity– 33 criteria and 182 illustrative controls

CA Environmental Controls– 28 criteria and 165 illustrative controls

• 30 topics (5 optional), 392 disclosures and controls

June 2000 PKI Forum 7

CA Trust

• PRINCIPLE 1: CA Business Practices Disclosure - The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices.

• 45 required disclosures

June 2000 PKI Forum 8

CA Trust

• PRINCIPLE 1: CA Business Practices Disclosure - – General Disclosures

– Key Life Cycle Management

– Certificate Life Cycle Management

– CA Environmental Controls

June 2000 PKI Forum 9

CA Trust

• PRINCIPLE 2: Service Integrity - The Certification Authority maintains effective controls to provide reasonable assurance that:

– Subscriber information was properly authenticated (for the registration activities performed by CA).

– The integrity of keys and certificates it manages is established and protected throughout their life cycles.

• Key Life Cycle Management Controls• Certificate Life Cycle Controls• 33 criteria and 182 illustrative controls

June 2000 PKI Forum 10

CA Trust

• PRINCIPLE 2: Service Integrity -

Key Life Cycle Management Controls:– CA Key Generation – CA Key Storage, Backup and Recovery – CA Public Key Distribution – CA Key Escrow (optional)– CA Key Usage – CA Key Destruction – CA Key Archival– CA Cryptographic Hardware – Subscriber Key Management Services (optional)

June 2000 PKI Forum 11

CA Trust

• PRINCIPLE 2: Service Integrity -

Certificate Life Cycle Controls:– Subscriber Registration – Certificate Renewal (optional)– Certificate Rekey – Certificate Issuance – Certificate Distribution – Certificate Revocation – Certificate Suspension (optional)– CRL Processing (negative & positive validation)– Smart Card (optional)

June 2000 PKI Forum 12

CA Trust

• PRINCIPLE 3: CA Environmental Controls - The Certification Authority maintains effective controls to provide reasonable assurance that:– Subscriber and relying party information is restricted to authorized

individuals and protected from uses not specified in the CA's business practices disclosure.

– The continuity of key and certificate life cycle management operations is maintained.

– CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity.

• 28 criteria and 165 illustrative controls

June 2000 PKI Forum 13

CA Trust

• PRINCIPLE 3: CA Environmental Controls - – CPS and CP Management – Security Management – Asset Classification and Management – Personnel Security – Physical and Environmental Security – Operations Management – System Access Management – Systems Development and Maintenance – Business Continuity Management – Monitoring and Compliance– Event Journaling

June 2000 PKI Forum 14

CA Trust

Other sections of CA Trust:• PKI Overview• WebTrust Overview• Example reports - Annexes• Cross reference with X9.79

June 2000 PKI Forum 15

CA Trust Effort

250

350

500

400

200

050

100150200250

300350400

450500

Average Hours

PKI DiagnosticSAS 70 Type ISAS 70 Type IIWebTrust for CAsWT for CAs (addl CA)

300

400

250

150

100

June 2000 PKI Forum 16

CA Trust

Questions?