CAs Support Standards and Regulations

Bruce Morton

SSL Standards RegulationsThis post was originally published on the CA Security Council blog.

There is an industry myth that certification authorities (CAs) are not regulated. In fact publicly-trusted SSL CAs support the development of industry regulations and have been audited annually to ensure compliance to the many requirements.

To provide some history, SSL CAs have always self-policed themselves by having external audits performed. In the ‘90s, the CAs wrote certificate policies and certification practice statements requiring annual compliance audits. Since there were no CA audit criteria, the CAs contracted for SAS 70 audits.

In 2000, the AICPA and CICA developed the WebTrust for CA audit criteria. The CAs switched to being audited to meet the WebTrust criteria and many browsers required successful WebTrust for CA audits to maintain root certificates embedded in their software.

In 2005, the CAs and the browsers combined to form the CA/Browser Forum. The purpose was to improve the issuance and management of SSL certificates. The first release was the Extended Validation (EV) SSL certificate requirements and in 2007, the issuing CAs were audited in accordance with the WebTrust for EV criteria.

However, the EV criteria did not cover standards for non- EV certificates. The CA/Browser Forum addressed this problem by developing the Baseline Requirements for SSL certificates. In 2012, the CAs started issuing certificates meeting the Baseline Requirements and in 2013 those CAs will be audited to the SSL Baseline Audit criteria, which was also developed by WebTrust personnel.

Now, when SSL CAs display their audit results, expect to see WebTrust for CA, WebTrust for EV and Baseline Requirements reports.

In addition to improving the CA certificate issuance and management standards, the CA/Browser forum has also introduced Network and Certificate System Security Guidelines which is hoped to be added to the audit criteria in the future. Also the European Telecommunications Standards Institute (ETSI) has adopted the CA audit criteria and has updated their standards.

For more information on SSL CA audits and other standards that help regulate the industry, please see the CASC whitepaper.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


  1. atef October 4, 2015 Reply

    can the root CA be the regulator to it’s sub CA’s?

    • Bruce Morton Author
      Bruce Morton October 15, 2015 Reply

      Yes and no. If the subordinate CA is not technically restricted, then the subordinate CA must be audited by a third party based on the type of certificates the CA issues or can issue. If the subordinate CA is technically restricted, then the root CA must ensure that the subordinate CA meets the requirements.

      Technically restricted means the subordinate CA certificate is limited by the EKU OID and if configured to issue TLS certificates also has domain constraints. This type of restriction should also be extended to subordinate CAs which are capable of issuing secure email certificates.

      Please note that most existing subordinate CAs are not technically restricted.

Add to the Conversation