Advanced Search
HomeCompliance and Standards : Certification Authority : Digi-Sign.comWebTrust

WebTrust Principle 2

Service Integrity

The second principle is—The certification authority maintains effective controls to provide reasonable assurance that:

  • Subscriber information was properly authenticated (for the registration activities performed by ABC-CA).


  • The integrity of keys and certificates it manages is established and protected throughout their life cycles.


Effective key management controls and practices are essential to the trustworthiness of the public key infrastructure. Cryptographic key management controls and practices cover CA key generation; CA key storage, backup, and recovery; CA public key distribution (especially when done in the form of self-signed “root” certificates); CA key escrow (optional); CA key usage; CA key destruction; CA key archival; the management of CA cryptographic hardware through its life cycle; and CA-provided subscriber key management services (optional). Strong key life cycle management controls are vital to guard against key compromise that can damage the integrity of the public key infrastructure.

The user certificate life cycle is at the core of the services provided by the CA. The CA establishes its standards and practices by which it will deliver services in its published CPS and CPs. The user certificate life cycle includes the following:

  • Registration (that is, the identification and authentication process related to binding the individual subscriber to the certificate)


  • The renewal of certificates (optional)


  • The rekey of certificates


  • The revocation of certificates


  • The suspension of certificates (optional)


  • The timely publication of certificate status information (through certificate revocation lists or some form of online certificate status protocol)


  • The management of integrated circuit cards (ICCs) holding private keys through their life cycle (optional)




Effective controls over the registration process are essential, as poor identification and authentication controls jeopardize the ability of subscribers and relying parties to rely on the certificates issued by the CA. Effective revocation procedures and timely publication of certificate status information are also essential elements, as it is critical for subscribers and relying parties to know when they are unable to rely on certificates that have been issued by the CA.

  • Ireland, Dublin
    +353 (1) 685-3680