This email is provided for clarification of one of the agenda items presented at the FPKI TWG held at NIST on Wednesday, June 7, 2000. The agenda item was “CA Audits and the New WebTrust Auditing Guidelines”. Charlie Scruggs from KPMG presented “Certificate Authority (CA) Auditing”. Some points from this discussion should be clarified and perhaps raised for further discussion in this list, specifically pertaining to the SAS 70 audit, the proposed CA WebTrust audit, and the WebTrust Seal of Approval. The first point has to do with the validity of the SAS 70 audit. The presenter suggested that DST and other companies “wasted their money” getting a SAS 70, ostensibly because it is not pertinent to being a CA. Setting aside the fact that the SAS 70 is a firm requirement of some of our contracts, including ACES – the SAS 70 is as relevant as you make it. DST worked closely with Pricewaterhouse Coopers (PWC) to ensure that our SAS 70 audit drew from the requirements and criteria of the X9.79 standard and from the proposed specifications for the CA WebTrust audit. (Remember from the presentation that the X9F5 working group created the X9.79 standard, which is being used to derive CA WebTrust requirements.) Our SAS 70 audit was a worthwhile endeavor as well as meeting a contractual requirement and positions us well to pass the CA WebTrust audit when that becomes appropriate. The second point has to do with the status of the CA WebTrust itself. Currently, this audit is in draft format and has not been officially approved. There is still work to be done to make the CA WebTrust audit a viable certification tool. DST and perhaps other CAs have undergone informal CA WebTrust audits. However, until this tool is officially approved, audits performed under the current CA WebTrust are done voluntarily and have limited meaning. CAs submitting to the current CA WebTrust audit are proving the concepts of the audit rather than their own ability to meet the requirements. Finally, once a CA passes the CA WebTrust audit, the CA is then awarded a WebTrust Seal of Approval from the American Institute of Certified Public Accountants (AICPA). This seal currently holds the logo of a competing CA service provider. The CA WebTrust working group, which is a working group of the AICPA, recognizes this and has made strong recommendations to change this. Until this change is effected, the use of the WebTrust audit will be very limited. CA competitors to this CA service provider will avoid getting the WebTrust audit because of the logo in the seal. The FPKI TWG can help by making the AICPA aware that if this seal is to have valid utility, the logo on the seal MUST be vendor independent. Overall, the direction the AICPA is taking with the CA WebTrust audit is well advised. DST believes it holds great promise for this community. Debb Blanchard Digital Signature Trust Company 15200 Shady Grove Road, Suite 350 Rockville, MD. 20850 office: 301-921-5977 cell: 410-259-0624 email: dblanchard@digsigtrust.com
begin:vcard n:Blanchard;Debb tel;cell:410-259-0624 tel;fax:301-670-2803 tel;work:301-921-5977 x-mozilla-html:FALSE url:www.digsigtrust.com org:Digital Signature Trust Co. adr:;;15200 Shady Grove Road, Suite 350;Rockville;MD;20850; version:2.1 email;internet:dblanchard@digsigtrust.com end:vcard
S/MIME Cryptographic Signature