Principles and criteria

Read about the latest updates to and versions of WebTrust principles and criteria.

RELEASE NOTICE: NEW AND UPDATED VERSIONS OF WEBTRUST FOR CERTIFICATION AUTHORITIES PRINCIPLES AND CRITERIA 

The WebTrust/PKI Assurance Task Force has released:

  • Version 2.2 of WebTrust Principles and Criteria for Certification Authorities, replacing version 2.1. It is effective for audit periods commencing June 1, 2019. 
  • Version 1.6.8 of WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL, replacing version 1.6.2. It is effective for audit periods commencing June 1, 2019.
  • Version 2.4.1 of WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – replacing versions 2.3. and 2.4 It is effective for audit periods commencing June 1, 2019.
  • Version 1.0 of WebTrust for Registration Authorities. It is effective for audit periods commencing April 30, 2019.

Significant changes

Version 2.2 of WebTrust Principles and Criteria for Certification Authorities:

  • Minor updates made to conform to ISO 21188:2018 Edition

Version 1.6.8 of WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL:

Updated EV SSL Audit Criteria to conform to EV SSL Guidelines v1.6.8 and other clarifications, including the following

  • Principle 1, Criterion 4 – The CA’s CP and CPS must now follow RFC 3647 format. RFC 2527 has been sunset.
  • Principle 2, Criteria 5.2-5.4 – Updates to revocation criteria based on changes to the SSL Baseline Requirements.

Version 2.4.1 of WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security

This version includes some minor corrections and clarification to Version 2.4 and is effective June 1, 2019.

  • Principle 2, Criterion 2.14 corrected for a typographical error
  • Principle 4, Criterion 1.2 edited for clarity

Version 2.4 of WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security

Updated SSL Baseline Audit Criteria to conform to SSL Baseline Requirements v1.6.2 and Network and Certificate System Security Requirements v1.2

  • Principle 1, Criterion 5 – The CA’s CP and CPS must now follow RFC 3647 format. RFC 2527 has been sunset.
  • Principle 2, Criterion 2.14 – new criterion added to address certificates with underscore characters. Criteria 2.14-2.16 renumbered to 2.15-2.17.
  • Principle 2, Criterion 4.6 – Re-validations cannot use methods 3.2.2.4.1 and 3.2.2.4.5 as of 1 August 2018
  • Principle 2, Criteria 5.2, 5.3 and 5.4 – Updated revocation criteria and timelines
  • Principle 4 – Updates made to conform to CA/B Forum Ballot SC3

WebTrust for Registration Authorities

This document provides a framework for third party assurance providers to assess the adequacy and effectiveness of the controls employed by a Registration Authority (RA) that performs either a portion or all of the registration related functions for a Certification Authority (CA) on an outsourced basis. Audit guidance for registration functions that are conducted directly by the CAs entirely are covered in the document, WebTrust Principles and Criteria for Certification Authorities. It is effective April 30, 2019.

RELEASE NOTICE: PRACTITIONER’S GUIDANCE – ILLUSTRATIVE REPORTS

The WebTrust/PKI Assurance Task Force prepared, and released in 2017, illustrative guidance for licensed WebTrust practitioners to support the preparation of WebTrust audit reports under Canadian, U.S. and international audit standards. This material can be downloaded from the “Practitioner Qualification and Guidance” tab.

AUDIT APPLICABILITY MATRIX

WebTrust for Certification Authorities - Audit Applicability Matrix
The WebTrust for Certification Authorities – Audit Applicability Matrix provides information about the relevant audit requirements based on current CA/Browser Forum and other requirements. In addition, it provides a summary of the current versions of the various applicable WebTrust for Certification Authorities audit schemes. (Updated to June 2019)

WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES

Framework for third party assurance providers to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)

Framework for third party assurance providers for Extended Validation Certificates

Framework for third party assurance providers relating to SSL certificates

Framework for third party assurance providers relating to code signing

WebTrust Principles and Criteria for Registration Authorities Version 1.0

For inquiries regarding WebTrust, please contact CPA Canada.