Certification authorities (CA) have always been compliance-minded and have historically imposed third-party audits upon themselves. The CAs disclose their requirements through a certificate policy (CP) document or certification practice statement (CPS). In these documents they state that they will be audited by a third party to meet these requirements.
Historically, the CAs had to choose their own audit standard. We originally chose SAS 70, and then moved to WebTrust for CA. Entrust was the first publicly trusted CA to be WebTrust audited.
As the industry developed, the browsers developers imposed annual audit criteria through their certificate policies. Typically, the CAs could choose from one of the following for the basis of their audit:
- WebTrust for Certification Authorities
- ETSI TS 102 042
- ISO 21188:2006
Certificate standards increased and, in 2007, the CA/Browser Forum launched Extended Validation SSL certificates. The EV guidelines included a requirement to be audited to the EV guidelines.
One concern was that there were no requirements for non-EV SSL certificates. To satisfy this issue, the CA/Browser Forum developed the SSL Baseline Requirements (BR). The BRs provided minimum requirements for issuance and management of all SSL certificates. The BRs also included minimum verification requirement for domain validated and organization validated SSL certificates.
In 2013, you will see the CAs being audited to the Baseline Requirements. Entrust has completed its BR validation. As the industry changes, this process has shown that CAs have helped establish new criteria and are willing to publish their audit results to show compliance to that criteria.
For more information on CA audit criteria, please see the WebTrust site.