+1-888-690-2424

CAs Being Audited to Baseline Requirements

Bruce Morton

Like this post? Try our newsletter.  Subscribe now.Certification authorities (CA) have always been compliance-minded and have historically imposed third-party audits upon themselves. The CAs disclose their requirements through a certificate policy (CP) document or certification practice statement (CPS). In these documents they state that they will be audited by a third party to meet these requirements.

Historically, the CAs had to choose their own audit standard. We originally chose SAS 70, and then moved to WebTrust for CA. Entrust was the first publicly trusted CA to be WebTrust audited.

As the industry developed, the browsers developers imposed annual audit criteria through their certificate policies. Typically, the CAs could choose from one of the following for the basis of their audit:

  • WebTrust for Certification Authorities
  • ETSI TS 102 042
  • ISO 21188:2006

Certificate standards increased and, in 2007, the CA/Browser Forum launched Extended Validation SSL certificates. The EV guidelines included a requirement to be audited to the EV guidelines.

One concern was that there were no requirements for non-EV SSL certificates. To satisfy this issue, the CA/Browser Forum developed the SSL Baseline Requirements (BR). The BRs provided minimum requirements for issuance and management of all SSL certificates. The BRs also included minimum verification requirement for domain validated and organization validated SSL certificates.

In 2013, you will see the CAs being audited to the Baseline Requirements. Entrust has completed its BR validation. As the industry changes, this process has shown that CAs have helped establish new criteria and are willing to publish their audit results to show compliance to that criteria.

For more information on CA audit criteria, please see the WebTrust site.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

0 Comments

Add to the Conversation