Advanced Search
HomeCompliance and Standards : Certification Authority : Digi-Sign.comWebTrust

WebTrust Assurance Process


The CA’s management will make assertions along the following lines:

Management has assessed the controls over its CA operations. Based on that assessment, in ABC Certification Authority, Inc. (ABC-CA) Management’s opinion, in providing its certification authority (CA) services at [location], ABC-CA, during the period from [Month, day, year] through [Month, day, year]:

  • Disclosed its key and certificate life cycle management business and information privacy practices and provided such services in accordance with its disclosed practices


  • Maintained effective controls to provide reasonable assurance that:


    • Subscriber information was properly authenticated (for the registration activities performed by ABC-CA); and


    • The integrity of keys and certificates it managed was established and protected throughout their life cycles


  • Maintained effective controls to provide reasonable assurance that:


    • Subscriber and relying party information was restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure;


    • The continuity of key and certificate life cycle management operations was maintained; and


    • CA systems development, maintenance, and operations were properly authorized and performed to maintain CA systems integrity based on the WebTrust for Certification Authorities criteria.


For an initial representation, the historical period covered should be at least two months or more as determined by the practitioner. For established CAs and CA functions, two months may be quite sufficient, while for new CAs and CA functions, the practitioner may believe that a longer initial period would be more appropriate. For subsequent representations, the period covered should begin with the end of the prior period, to provide continuous representation. Reports should be issued at least every 12 months. In some situations, given the business needs or expectations of relying parties, the practitioner may believe a shorter subsequent period would be more appropriate.

To have a basis for such assertions, the CA’s management should have made a risk assessment and implemented appropriate controls for its CA operations. The WebTrust for Certification Authorities criteria and illustrative controls provide a basis for a risk assessment and a minimum set of CA controls.

An independent, objective, and knowledgeable practitioner will perform tests of these representations under professional standards and provide a professional opinion, which adds to the credibility of management’s representations.

  • Ireland, Dublin
    +353 (1) 685-3680