Please enable JavaScript.
Coggle requires JavaScript to display documents.
WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES (4.0: CA…
WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES
1.0: CA Business Practices Disclosure
1.1 Certification Practice Statement (CPS)
1.2 Certificate Policy (CP) (if applicable)
2.0: CA Business Practices Management
2.1 Certification Practice Statement (CPS) Management
2.1.1 The PA has final authority and responsibility for approving the CA’s Certification Practice
Statement (CPS).
2.1.2 Responsibilities for maintaining the CPS have been formally assigned.
2.1.3 The CA’s CPS is modified and approved in accordance with a defined review process.
2.1.4 The CA makes available its Certification Practice Statement (CPS) to all appropriate parties.
2.1.5 Revisions to the CA’s CPS are made available to appropriate parties.
2.1.6 The CA updates its CPS to reflect changes in the environment as they occur.
2.2 Certificate Policy (CP) Management (if applicable)
2.2.1 The Policy Authority (PA) has the responsibility of defining the business requirements and policies for using digital certificates and specifying them in a Certificate Policy (CP) and supporting agreements.
2.2.2 The PA has final authority and responsibility for specifying and approving Certificate
Policy(s).
2.2.3 Certificate Policy(s) are approved by the Policy Authority in accordance with a defined annual review process, including responsibilities for maintaining and tracking changes to the Certificate Policy(s).
2.2.4 A defined review process exists to assess that the Certificate Policy(s) are capable of support
by the controls specified in the CPS.
2.2.5 The PA makes available the Certificate Policies supported by the CA to Subscribers and
Relying Parties.
2.3 CP and CPS Consistency (if applicable)
2.3.1 The PA is responsible for ensuring that the CA’s control processes, as stated in a Certification Practice Statement (CPS) or equivalent, fully comply with the requirements of the CP.
2.3.2 The CA addresses the requirements of the CP when developing its CPS.
2.3.3 The CA assesses the impact of proposed CPS changes to ensure that they are consistent with the CP.
2.3.4 A defined review process exists to ensure that Certificate Policy(s) are supported by the CA’s CPS.
3.0: CA Environmental Controls
3.1 Security Management
Information Security Policy
Information Security Infrastructure
Security of Third Party Access
Outsourcing
3.2 Asset Classification and Management
3.3 Personnel Security
3.4 Physical and Environmental Security
CA Facility Physical Security
Equipment Security
General Controls
3.5 Operations Management
Operational Procedures and Responsibilities
System Planning and Acceptance
Protection Against Viruses and Malicious Software
Incident Reporting and Response
Media Handling and Security
3.6 System Access Management
User Access Management
Network Access Control
Hypervisor, Operating System, Database, and Network Device Access Control
Application Access Control
3.7 Systems Development, Maintenance, and Change Management
3.8 Disaster Recovery, Backups, and Business Continuity Management
3.9 Monitoring and Compliance
Compliance with Legal Requirements
Review of Security Policy and Technical Compliance
System Audit Process
Monitoring System Access and Use
3.10 Audit Logging
Audit Logs
Events Logged
Audit Log Protection
Audit Log Archival
Review of Audit Logs
4.0: CA Key Lifecycle Management Controls
4.1 CA Key Generation
Generation of CA Keys Including Root CA Keys – General Requirements
Generation of CA Keys Including Root CA Keys – Script Requirements
4.2 CA Key Storage, Backup, and Recovery
4.3 CA Public Key Distribution
4.4 CA Key Usage
4.5 CA Key Archival
4.6 CA Key Destruction
4.7 CA Key Compromise
4.8 CA Cryptographic Hardware Life Cycle Management
4.9 CA Key Escrow (if applicable)
4.10 CA Key Transportation (if applicable)
4.11 CA Key Migration (if applicable)
5.0: Subscriber Key Lifecycle Controls
5.1 CA-Provided Subscriber Key Generation Services (if supported)
5.2 CA-Provided Subscriber Key Storage and Recovery Services (if supported)
5.3 Integrated Circuit Card (ICC) Lifecycle Management (if supported)
5.4 Requirements for Subscriber Key Management
6.0: Certificate Lifecycle Management
6.1 Subscriber Registration
6.2 Certificate Renewal (if supported)
6.3 Certificate Rekey
6.4 Certificate Issuance
6.5 Certificate Distribution
6.6 Certificate Revocation
6.7 Certificate Suspension (if supported)
6.8 Certificate Validation
7.0: Subordinate CA and Cross Certificate Lifecycle Management Controls
7.1 Subordinate CA Certificate and Cross Certificate Lifecycle Management
Subordinate CA (Sub-CA) and Cross Certificate Registration
Sub-CA and Cross Certificate Rekey
Sub-CA and Cross Certificate Issuance
Sub-CA and Cross Certificate Distribution
Sub-CA and Cross Certificate Revocation
Sub-CA and Cross Certificate Status Information Processing