This slidecast will provide an overview of the WebTrust for Certification Authorities (CA) program, along with an understanding of the significance of the audit of certification authorities, relevant standards applicable to the audit, audit framework and the audit process. In addition, it will address some current issues that have been faced by certification authorities and actions taken to minimize the risk of the WebTrust for CA audit.
2. Introduction Public Key Infrastructure (PKI) WebTrust Program for Certification Authority Significance of Audit Relevant Audit Standards WebTrust for CAs Framework Audit Process Future of WebTrust for Cas Conclusion Overview
3. Increased number of users over the internet. Digital certificate: an electronic document containing information about an individual and his or her public key Certification Authority (CA): an entity which initially authenticates the public key subscriber and issues the certificate for use by the relying parties. Introduction
5. WebTrust Program for Certification Authority Ensures that CAs are properly following their Certification Practice Statement, properly verifying organizations, and properly protecting its certificate keys. Increases customer confidence over the internet as a place for e-commerce, while increasing customer confidence in the application of the PKI technology. Confidentiality, authentication and integrity are the most important ingredients required for trust in e-commerce transactions” and this can be provided by the PKI technology.
6. Significance of Audit provides us with an unbiased opinion on the completeness of the system against its stated requirements from an independent third party. The audit also serves the function of detecting errors which may have a significant impact on the operations and verifies that fraud risk is moderated through effective internal controls The assurance services is provided by Public accounting firms and practitioners who are licensed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), in order to evaluate and test whether the services provided by a CA meet the principles and criteria
7. Relevant Audit Standards United States - the assurance standards applicable to the audit are within the frameworks outlined by the AICPA, in particular section Attestation Standards (AT) 101 Canada - the International Assurance Standards (IAS) have been adopted as the Canadian Auditing Standards (CAS) and are applicable in conducting the audit. Other countries, International Assurance Standards may be used, particularly International Standard on Assurance Engagement 3000.
8. Three main audit areas outlined by AICPA/CICA: CA Business practice disclosure Service integrity Environmental controls Scope of WebTrust for CAs Audit
9. Audit of the CAs consists of three general phases: Planning Execution Reporting Audit Process
11. Future of WebTrust for CAs Current Initiatives against security breaches CTO of Comodo has taken initiatives to address such concerns by ensuring that all RA-issued certificate requests for high-value domains matching a list maintained by Comodo will require a review by the company. Beta release of SSL Analyzer which is a tool used to scan website and summarize their server security levels.
12. Future of WebTrust for CAs Suggested initiatives by Stephen Schultize: CAs should be subject to stricter screening process as well as auditing when being considered for the approval list. The browsers could offer tools that resemble ad blockers or spam blacklists that would allow non-expert users to avoid connection to illegitimate sites that seem to have been validated A solution where the domain owners can confirm the names and machine numbers issued by the CA will be important in confirming the integrity of secured websites.
13. The existence of the recent security breaches encountered by CAs and RAs have begun to question not only the reliability of the audits but also the effectiveness WebTrust program for CAs itself. Initiatives undertaken by the CAs to improve the reliability of their services, along with more stringent guidelines by the AICPA/CICA regarding the audit of the CAs can help increase consumer trust over the internet. Conclusion