WEBTRUST Certification Authorities & Design — 1975111

Index headings

• CERTIFICATION AUTHORITIES WEBTRUST RA
• WEB TRUST

Vienna information (Code & Description)

Services (Nice class & Statement)

Certification mark text

The use of the certification mark is intended to indicate that the electronic commerce services listed are conducted in compliance with the following defined standards. In respect of the services, entities must: (a) disclose their availability practices, comply with such availability practices and maintain effective controls to provide reasonable assurance that electronic commerce and system data are available in conformity with their disclosed availability practices; (b) disclose their business practices for electronic commerce, execute transactions in conformity with such practices and maintain effective controls to provide reasonable assurance that electronic commerce transactions are processed completely, accurately and in conformity with their disclosed business practices; (c) disclose their security practices, comply with such security practices and maintain effective controls to provide reasonable assurance that access to the electronic commerce system and data is restricted to authorized individuals in conformity with their disclosed security practices; and (d) disclose their privacy practices, comply with such privacy practices and maintain effective controls to provide reasonable assurance that access to information obtained as a result of electronic commerce and designated as confidential is restricted to authorized individuals, groups of individuals or entities in conformity with their disclosed privacy practices; all in conformity with the WebTrust Principles and Criteria as developed by the applicant, as follows: A. The use of the certification mark indicates that the services are rendered in accordance with the standards and guidelines for the operation of Certification Authorities ("CAs"), covering various aspects such as SSL certificates, extended validation (EV), network security, S/MIME certificates, code signing, as outlined below. 1. Principles and Criteria for Certification Authorities set general standards for Certification Authorities that issue digital certificates. It focuses on ensuring the security, reliability, and trustworthiness of CAs through the following key principles: i. Security: CAs must protect cryptographic keys, sensitive data, and ensure systems are secure against unauthorized access. ii. Certificate Lifecycle Management: Issuing, renewing, suspending, and revoking certificates, with strong identity validation before issuance. iii. Confidentiality and Privacy: CAs must protect customer information, comply with privacy laws, and implement secure data handling practices. vi. Availability: CAs must ensure reliable services, certificate issuance and revocation, with business continuity and disaster recovery measures in place. v. Audit and Compliance: Regular audits must be conducted to verify compliance with these standards, ensuring transparency and accountability. 2. WebTrust Principles and Criteria for Certification Authorities - SSL Baseline is specifically tailored for CAs issuing SSL/TLS certificates and focuses on basic security and operational requirements that SSL CAs must meet: i. Security: Strong cryptographic algorithms must be used, and private keys must be securely managed. ii. Certificate Lifecycle Management: SSL certificates must be issued based on proper domain ownership validation. The lifecycle management includes timely revocation and proper handling of certificate statuses through CRLs and OCSP. iii. Availability: High availability of certificate management systems is required, ensuring continuous access to services like certificate validation. iv. Transparency and Auditing: CAs must disclose policies, practices, and undergo independent audits to ensure compliance. v. Reliability: CAs must guarantee that certificates are issued only to verified entities and maintain the integrity of the certificates during their lifecycle. 3. WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL focuses on the higher standards required for Extended Validation (EV) SSL Certificates, which provide stronger verification of the identity of organizations requesting certificates. Key differences compared to SSL baseline: i. Stronger Identity Verification: EV SSL certificates require stricter validation of the certificate requester's legal, physical, and operational existence, verification of domain ownership and legal entity status. ii. Transparency: CAs must ensure that the information about the EV process, policies, and practices is clearly communicated to the public. iii. Certificate Lifecycle Management: The criteria emphasize detailed procedures for issuing, managing, and revoking EV certificates, with special attention to identity verification. 4. WebTrust Principles and Criteria for Certification Authorities - Network Security covers security and operational criteria for network security specifically for Certification Authorities: i. Network Protection: CAs must ensure their network infrastructure is securely configured and monitored to prevent unauthorized access and data breaches. ii. Data Protection: Sensitive data related to certificates, users, and private keys must be protected by robust encryption and access control measures. iii. System Availability: CAs must maintain continuous availability for critical systems such as certificate issuance, revocation, and status checking services. iv. Incident Response: CAs must have clear procedures for detecting, reporting, and responding to network security incidents or breaches. 5. WebTrust Principles and Criteria for Certification Authorities - S/MIME set standards for CAs that issue S/MIME certificates, which are used for securing email communications: i. Identity Verification: CAs must verify the identity of the email address holders requesting certificates, ensuring that the identity matches the certificate requestor. ii. Secure Email Practices: The issuance of S/MIME certificates must align with standards that the confidentiality protect, integrity, and authenticity of email messages. iii. Certificate Lifecycle Management: Clear procedures for the issuance, revocation, and renewal of S/MIME certificates are required. iv. Audit and Compliance: Regular audits must confirm that S/MIME certificates are issued according to security and privacy best practices. 6. WebTrust Principles and Criteria for Certification Authorities - Code Signing Baseline Requirements focuses on the requirements for Code Signing Certificates, which are used to sign software and applications to ensure their integrity and authenticity: i. Identity Validation: Strong validation of the identity of software publishers and developers requesting certificates is critical. ii. Private Key Protection: The private key used for signing code must be securely stored and protected from unauthorized access. iii. Transparency: CAs must disclose their policies, practices, and undergo audits to ensure the integrity of the code signing process. iv. Certificate Lifecycle Management: Procedures must be in place to manage the lifecycle of code signing certificates, proper revocation and handling of compromised keys. 7. WebTrust Principles and Criteria for Mark Certificates applies to WebTrust Mark Certificates, which are issued to organizations that comply with certain WebTrust standards, signifying trustworthiness in digital operations: i. Verification of Compliance: Organizations must demonstrate compliance with WebTrust's security, privacy, and operational criteria to be awarded the WebTrust Mark. ii. Transparency: WebTrust Mark certificates must be issued in a transparent manner, with organizations publicly sharing their compliance with WebTrust principles. iii. Ongoing Commitment to Trust: Organizations must continuously adhere to WebTrust principles to retain their WebTrust Mark, which serves as an ongoing certification of trust. 8. WebTrust Principles and Criteria for Registration Authorities ("RAs") outlines the standards and best practices for the operation of Registration Authorities (RAs) in the context of digital certificate issuance and management. An RA is responsible for authenticating the identity of users (or entities) before certificates are issued by a Certification Authority (CA). WebTrust Principles and Criteria for Registration Authorities ensures that RAs operate with high standards of security, identity validation, privacy protection, and transparency in the process of registration and certificate issuance. RAs are held accountable through audit requirements and must maintain comprehensive documentation and records to support their practices and ensure public trust in the digital certificate lifecycle. B. The use of the certification mark indicates that the engagements resulting in the issuance of the mark are carried out by an enrolled WebTrust Practitioner that must meet the following criteria: a. be a member in good standing with the National Accounting Organization that is a member of IFAC; b. be licensed or otherwise permitted to provide assurance services in the countries where it provides or intends to provide WebTrust for Certification Authorities Services; c. perform compliance audits as regular ongoing business activities; d. be able to demonstrate an understanding of systems related to the issuance of digital certificates and the issues related to various areas of Public Key Infrastructure, Information Security Management, and organizational reliability; e. be thoroughly familiar with the WebTrust for Certificate Authorities Principles and Criteria and the requirements of the Certificate Authority/Browser Forum.

Recordals (known also as Footnotes)