DOCX

Trust Service Principles and Criteria for Certification Authorities

By Sam Garcia,2014-08-09 18:23
8 views 0
Trust Service Principles and Criteria for Certification Authorities

    Trust Service Principles and

    Criteria for Certification

    Authorities

    Version 2.0

    March 2011

    (Effective July 1, 2011)

    (Supersedes WebTrust for Certification Authorities

    Principles Version 1.0 August 2000)

Copyright 2011 by

    Canadian Institute of Chartered Accountants.

    All rights reserved. The Principles and Criteria may be reproduced and distributed provided that reproduced materials are not in any way directly offered for sale or profit and attribution is given.

AICPA/CICA Public Key Infrastructure (PKI) Assurance Task Force

    Donald E. Sheehy, Deloitte & Touche, LLP Chair

    Michael Greene, Ernst & Young LLP

    Mark Lundin, KPMG LLP

    Jeffrey Ward, Stone Carlie & Company LLC

    The AICPA and CICA would like to express gratitude to the members of the Task Force and its chair, Don Sheehy, for the knowledge they have contributed and time and effort expended to develop the Trust Services Prinicples and Criteria for Certification Authorities. Equally appreciated is the contribution of Reema Anand, KPMG LLP, who contributed greatly to the knowledge of the Task Force.

Staff Contact:

    Bryan Walker, CICA

EFFECTIVE DATE

    These Principles and Criteria are effective for years commencing on or after July 1, 2011 although earlier implementation is encouraged.

Page | 2

Table of Contents

    Effective date ..............................................................................................................................2 INTRODUCTION ......................................................................................................................6 Introduction to Trust Service Principles and Criteria for Certification Authorities Version 2.0 .... 6 Importance of PKI ....................................................................................................................... 6 OVERVIEW ...............................................................................................................................7 What is a Public Key Infrastructure? ........................................................................................... 7 What is a Digital Signature? ........................................................................................................ 9 What are the Differences Between Encryption Key Pairs and Signing Key Pairs? ..................... 10 What is a Certification Authority? ............................................................................................. 11 What is a Registration Authority?.............................................................................................. 11 What is the Impact of an External RA?...................................................................................... 13 What is an Extended Validation Certificate? ............................................................................. 14 What is a Certification Practice Statement and a Certificate Policy? .......................................... 14 What are the Hierarchical and Cross-Certified CA Models? ..................................................... 14 What is the Impact of Subordinate CAs? ................................................................................... 15 What are Some of the Business Issues Associated with CAs? .................................................... 16 PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES ............................... 17 Certification Authorities Principles ........................................................................................... 17

    CA Business Practices Disclosure...................................................................................... 17

    Service Integrity ................................................................................................................ 17

    CA Environmental Controls .............................................................................................. 18 Intended Use of the Trust Services Principles and Criteria ......................................................... 19 TRUST SERVICE PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES . 20 1. CA BUSINESS PRACTICES DISCLOSURE .......................................................................... 20 Page | 3

    1.1 Certification Practice Statement (CPS) ................................................................ 20 1.2 Certificate Policy (if applicable) .......................................................................... 20 2. CA BUSINESS PRACTICES MANAGEMENT ................................................. 21 2.1 Certificate Policy Management (if applicable) ..................................................... 21 2.2 Certification Practice Statement Management ...................................................... 21 2.3 CP and CPS Consistency (if applicable) .............................................................. 22 3. CA ENVIRONMENTAL CONTROLS ............................................................... 23 3.1 Security Management .......................................................................................... 23 3.2 Asset Classification and Management .................................................................. 24 3.3 Personnel Security ............................................................................................... 25 3.4 Physical and Environmental Security ................................................................... 27 3.5 Operations Management ...................................................................................... 29 3.6 System Access Management ................................................................................ 30 3.7 Systems Development and Maintenance .............................................................. 33 3.8 Business Continuity Management ........................................................................ 34 3.9 Monitoring and Compliance ................................................................................ 36 3.10 Audit Logging ..................................................................................................... 37 4. CA KEY LIFE CYCLE MANAGEMENT CONTROLS ..................................... 41 4.1 CA Key Generation ............................................................................................. 41 4.2 CA Key Storage, Backup and Recovery............................................................... 43 4.3 CA Public Key Distribution ................................................................................. 43 4.4 CA Key Usage..................................................................................................... 44 4.5 CA Key Archival and Destruction ....................................................................... 45 4.6 CA Key Compromise .......................................................................................... 46 4.7 CA Cryptographic Hardware Life Cycle Management ......................................... 47 Page | 4

    4.8 CA Key Escrow (if applicable) ............................................................................ 48 5. SUBSCRIBER KEY LIFE CYCLE MANAGEMENT CONTROLS ................... 50 5.1 CA-Provided Subscriber Key Generation Services (if supported)......................... 50 5.2 CA-Provided Subscriber Key Storage and Recovery Services (if supported) ........ 50 5.3 Integrated Circuit Card (ICC) Life Cycle Management (if supported) .................. 52 5.4 Requirements for Subscriber Key Management ................................................... 55 6. CERTIFICATE LIFE CYCLE MANAGEMENT CONTROLS ........................... 57 6.1 Subscriber Registration ........................................................................................ 57 6.2 Certificate Renewal (if supported) ....................................................................... 59 6.3 Certificate Rekey ................................................................................................. 60 6.4 Certificate Issuance ............................................................................................. 61 6.5 Certificate Distribution ........................................................................................ 62 6.6 Certificate Revocation ......................................................................................... 63 6.7 Certificate Suspension (if supported) ................................................................... 64 6.8 Certificate Validation .......................................................................................... 65 7. SUBORDINATE CA CERTIFICATE LIFE CYCLE MANAGEMENT

    CONTROLS........................................................................................................ 67 7.1 Subordinate CA Certificate Life Cycle Management ........................................... 67 APPENDIX A ........................................................................................................................... 69 ?1 RFC 3647 69

    ?2 RFC 2527 76

    ?3 WebTrust for CAs v1 ........................................................................................................... 80 Page | 5

INTRODUCTION

    Introduction to Trust Service Principles and Criteria for Certification Authorities Version 2.0 This document provides a framework for third party assurance providers to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs). As a result of the technical nature of the activities involved in securing e-commerce transactions, this document also provides a brief overview of public key infrastructure (PKI) using cryptography and trusted third-party concepts. This document replaces Version 1.0 of the AICPA/CICA WebTrust Program for Certification Authorities

    that was issued in August 2000. Unlike Version 1.0 that was intended to be used by licensed WebTrust practitioners only, this version is regarded as ―open-source‖ and can be used in the conduct of any

    assurance engagement, internal or external, by any third-party service provider. It also represents an effective benchmark for CAs to conduct self-assessments. The public accounting profession has continued to play its role, with an intent to increase consumer confidence in the application of PKI technology by establishing a basis for providing third party assurance to the assertions made by CAs. This document was developed by a CICA/AICPA Task Force using ISO 21188 ―Public Key Policy and

    Practices Frameworkand Version 1.0 of the AICPA/CICA WebTrust Program for Certification

    Authorities.

    Input and approval was also obtained from the Certification Authority Browser Forum (CA/Browser Forum see www.cabforum.org) for the content and control activities contained in this framework. The CA/Browser Forum was formed among certification authorities (CAs) and vendors of Internet browser software and other applications. This voluntary organization has worked collaboratively in defining guidelines and means of implementation for the Extended Validation (EV) SSL Certificate standard as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.

    The Principles and Criteria for Certification Authorities are consistent with standards developed by the American National Standards Institute (ANSI), International Organization for Standardization (ISO), and Internet Engineering Task Force (IETF). The Principles and Criteria are also consistent with the practices established by the CA Browser Forum (see www.cabforum.org).

    Importance of PKI

    PKI provides a means for relying parties (meaning, recipients of certificates who act in reliance on those certificates and/or digital signatures verified using those certificates) to know that another individuals or

    entity’s public key actually belongs to that individual/entity. CA organizations and/or CA functions have been established to address this need.

    Cryptography is critical to establishing secure e-commerce. However, it has to be coupled with other secure protocols in order to provide a comprehensive security solution. Several cryptographic protocols require digital certificates (in effect, electronic credentials) issued by an independent trusted third party (the CA) to authenticate the transaction. CAs have assumed an increasingly important role in secure e-commerce. Although there is a large body of existing national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied or implemented uniformly.

    This version is titled the Trust Services Principles and Criteria for Certification Authorities Version 2.0. These Principles and Criteria are intended to address user (meaning, subscriber and relying party) needs and concerns and are designed to benefit users and providers of CA e-commerce assurance services by providing a common body of knowledge that is communicated to such parties.

    OVERVIEW

    What is a Public Key Infrastructure?

    With the expansion of e-commerce, PKI is growing in importance and will continue to be a critical enterprise security investment. PKI enables parties to an e-commerce transaction to identify one another by providing authentication with digital certificates, and allows reliable business communications by providing confidentiality through the use of encryption, and authentication data integrity and a reasonable basis for nonrepudiation through the use of digital signatures.

    PKI uses public/private-key pairstwo mathematically related keys. Typically, one of these keys is

    made public, by posting it on the Internet for example, while the other remains private. Public-key cryptography works in such a way that a message encrypted with the public key can only be decrypted with the private key, and, conversely, a message signed with a private key can be verified with the public key. This technology can be used in different ways to provide the four ingredients required for trust in e-commerce transactions, namely: confidentiality, authentication, integrity, and nonrepudiation.