Principles and criteria and practitioner guidance

WEBTRUST FOR CERTIFICATION AUTHORITIES PRINCIPLES AND CRITERIA

ENGAGEMENT APPLICABILITY MATRIX

WebTrust for Certification Authorities - Engagement Applicability Matrix (Aug. 31, 2023)
The WebTrust for Certification Authorities – Engagement Applicability Matrix provides information about the relevant assurance requirements based on current CA/Browser Forum and other requirements. In addition, it provides a summary of the current versions of the various applicable WebTrust for Certification Authorities assurance schemes.

WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES

Framework for third party assurance providers to assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)

• Principles and Criteria for Certification Authorities - Version 2.2.2
• Principles and Criteria for Certification Authorities - Version 2.2.1 

WebTrust Principles and Criteria for Mark Certificates

• WebTrust Principles and Criteria for Mark Certificates - Version 1.6
• WebTrust Principles and Criteria for Verified Mark Certificates - Version 1.4
• WebTrust Principles and Criteria for Verified Mark Certificates - Version 1.0

Framework for third party assurance providers relating to Extended Validation certificates

• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.8
• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.7.8
• WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.7.3

Framework for third party assurance providers relating to SSL certificates

• WebTrust Principles and Criteria for Certification Authorities – SSL Baseline – Version 2.8
• WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.7
• WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.6

Framework for third party assurance providers relating to Network Security

• WebTrust Principles and Criteria for Certification Authorities – Network Security – Version 1.7
• WebTrust Principles and Criteria for Certification Authorities – Network Security – Version 1.0

Framework for third party assurance providers relating to S/MIME

• WebTrust Principles and Criteria for Certification Authorities – S/MIME – Version 1.0.3
• WebTrust Principles and Criteria for Certification Authorities – S/MIME – Version 1.0.1
• WebTrust Principles and Criteria for Certification Authorities – S/MIME – Version 1.0.0

Framework for third party assurance providers relating to code signing

• WebTrust Principles and Criteria for Certification Authorities – Code Signing Baseline Requirements – Version 3.7
• WebTrust Principles and Criteria for Certification Authorities – Code Signing Baseline Requirements – Version 3.2
• WebTrust Principles and Criteria for Certification Authorities – Code Signing Baseline Requirements – Version 2.7
• WebTrust Principles and Criteria for Certification Authorities – Code Signing Baseline Requirements – Version 2.0 

WebTrust Principles and Criteria for Registration Authorities

• WebTrust Principles and Criteria for Registration Authorities - Version 1.1

ILLUSTRATIVE REPORTS

The WebTrust Task Force prepared, and released in 2022, illustrative guidance for enrolled WebTrust practitioners to support the preparation of WebTrust engagement assurance reports under Canadian, U.S. and international assurance standards.

Licensed WebTrust practitioners can access the reports through Chartered Professional Accountants of Canada Portal.

If you are not a licensed WebTrust practitioner but would require access to the reports, please contact us.

• NEW: WebTrust – Practitioner Guidance
• NEW: Illustrative Detailed Controls Report Covering Criteria Expected for a Publicly Trusted Certification Authority
• WebTrust – Canada reporting under CSAE 3000 - 3001
• WebTrust – U.S. reporting under SSAE 18
• WebTrust – International reporting under ISAE 3000
• WebTrust – Short Form Reports – Registration Authorities
• WebTrust – Combined US (AICPA) Standards – AT-C205 and ISAE 3000 Report
• WebTrust – Illustrative Examples – Force Majeure Event Scope Limitation Practitioner Reports

For inquiries regarding WebTrust, please contact CPA Canada.