Confirmed users, Administrators
5,526
edits
CA/BR Audit Guidance: Difference between revisions
→Extended Validation
| Line 78: | Line 78: | ||
=== Extended Validation === | === Extended Validation === | ||
If the root certificate is enabled for EV treatment, then the following three public-facing audit statements are required annually: | If the root certificate is enabled for EV treatment, then the following three public-facing audit statements are required annually: | ||
# | # [http://www.webtrust.org/homepage-documents/item54279.pdf Webtrust Principles and Criteria for Certification Authorities 2.0] | ||
# | # [http://www.webtrust.org/homepage-documents/item79806.pdf WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.0] | ||
# | # [http://www.webtrust.org/homepage-documents/item79807.pdf WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5] | ||
However, if the CA hierarchy can only be used for EV certificates, ''the CP/CPS clearly states this'', and an annual scan of the certificate database proves that '''all''' end-entity certificates have the EV policy OID, then a separate WebTrust BR audit statement is not needed because it is encompassed within the WebTrust EV audit. In other words, the WebTrust EV audit statement will also suffice as the WebTrust BR audit statement. | However, if the CA hierarchy can only be used for EV certificates, ''the CP/CPS clearly states this'', and an annual scan of the certificate database proves that '''all''' end-entity certificates have the EV policy OID, then a separate WebTrust BR audit statement is not needed because it is encompassed within the WebTrust EV audit. In other words, the WebTrust EV audit statement will also suffice as the WebTrust BR audit statement. | ||