I can't beleive I'm sticking up for the auditors.
A. There's been a fair amount of speculation that the failures of the
audit profession to catch financial pecadillos would also carry through to
WebTrust audits. But there's a difference:
In a financial audit, the audit firm is making an opinion that the financial
statements prepared by the company are fair representations. However, the
audit firm only reviews a small sampling of records and must make many
judgement calls to put forth that audit opinion. In many respects,
financial audits are "approximations" -- and it's clear that the accounting
firms may have allowed other advisory revenues from a client blinker their
audit vision.
In short, audit and accounting principles leave a lot of wiggle room.
However, WebTrust is a bit different. Rather than a set of financial
principles ("in general, one might"), it is quite prescriptive ("thou
shalt"). The WebTrust criteria take the principles developed by the
following, among others, and turn them into a review checklist.
- The ANSI X9F5 Digital Signature and Certificate Policy working group;
X9.79 PKI Practices and Policy Framework (X9.79) standard. This standard
includes detailed CA Control Objectives against which CAs may be evaluated.
- An International Organization for Standardization (ISO) working group has
been formed to standardize X9.79 based on international requirements in a
new international standard.
- In addition, the American Bar Association's Information Security
Committee (ABA-ISC) is developing the PKI Assessment Guidelines (PAG) which
address the legal and technical requirements for CAs. The PAG makes
reference to the CA Control Objectives that are detailed in the draft X9.79
standard and reflected in the WebTrust Program for Certification
Authorities.
In other words -- it does not only demand that the CA has a
publicly-available certification practice statement and certificate
policies, WebTrust requires those documents to include minimum conditions.
Ditto for a long list of internal policies and practices for ca
environmental controls, etc. The CA has to prove compliance to all of the
above over an operational time period.
There is a lot less "grey area" in WebTrust than for financial audits.
B. There's been some concern that unqualified auditors may give a
WebTrust opinion. I understand that the AICPA and CICA (Canadian
counterparts) only allow certain firms to conduct WebTrust -- having proven
that they have the expertise to do so. In addition, the AICPA appears to
have taken some degree of direct QA role on all WebTrust for CAs.
C. You will note that Microsoft allows CAs to provide "WebTrust
equivalent" procedures for admission. Admittedly, a WebTrust is an
expensive, laborious undertaking. However, a smaller or public-good CA like
CACerts could complete the procedures themselves and have a qualified
systems auditor concur on them. Done correctly, this may be acceptable ...
and is significantly cheaper.
Regards, Stephen
www.quovadis.bm
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
