This post was originally published on the CA Security Council blog.
There is an industry myth that certification authorities (CAs) are not regulated. In fact publicly-trusted SSL CAs support the development of industry regulations and have been audited annually to ensure compliance to the many requirements.
To provide some history, SSL CAs have always self-policed themselves by having external audits performed. In the ‘90s, the CAs wrote certificate policies and certification practice statements requiring annual compliance audits. Since there were no CA audit criteria, the CAs contracted for SAS 70 audits.
In 2000, the AICPA and CICA developed the WebTrust for CA audit criteria. The CAs switched to being audited to meet the WebTrust criteria and many browsers required successful WebTrust for CA audits to maintain root certificates embedded in their software.
In 2005, the CAs and the browsers combined to form the CA/Browser Forum. The purpose was to improve the issuance and management of SSL certificates. The first release was the Extended Validation (EV) SSL certificate requirements and in 2007, the issuing CAs were audited in accordance with the WebTrust for EV criteria.
However, the EV criteria did not cover standards for non- EV certificates. The CA/Browser Forum addressed this problem by developing the Baseline Requirements for SSL certificates. In 2012, the CAs started issuing certificates meeting the Baseline Requirements and in 2013 those CAs will be audited to the SSL Baseline Audit criteria, which was also developed by WebTrust personnel.
Now, when SSL CAs display their audit results, expect to see WebTrust for CA, WebTrust for EV and Baseline Requirements reports.
In addition to improving the CA certificate issuance and management standards, the CA/Browser forum has also introduced Network and Certificate System Security Guidelines which is hoped to be added to the audit criteria in the future. Also the European Telecommunications Standards Institute (ETSI) has adopted the CA audit criteria and has updated their standards.
For more information on SSL CA audits and other standards that help regulate the industry, please see the CASC whitepaper.