866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Why Private Certification Authorities Need WebTrust Assessments Blog Feature
Scott Perry

By: Scott Perry

Print/Save as PDF

Why Private Certification Authorities Need WebTrust Assessments

In the digital marketplace, certification authorities (CA) play an important role as trust anchors on the Internet—their primary goal is to establish confidence, confidentiality, integrity, and authentication during various digital communication and transaction scenarios, enabling secure interactions and protecting sensitive information. But that makes it imperative that these CAs remain trustworthy themselves, and in this, WebTrust audits can help.

Digital trust is an emerging market that Schellman has dedicated an entire practice to—including offerings of WebTrust audits—and so in this article, we are going to expand on how certification authorities work, and why those that are private can benefit from undergoing a WebTrust audit, as well as your different assessment options.

How Do Certification Authorities Work?

We mentioned that certification authorities (CA) are considered trust agents and that’s because they issue authentication certificates that are used by web browsers to encrypt traffic from user client devices to the server hosting the site—in so doing, they provide consumers with assurance that websites are legitimate with rights to that domain.

Public certification authorities enhance their trustworthiness through the mandated startup and annual audits required by the Certification Authority / Browser (CA/B) Forum, an industry consortium that has worked with the audit community to establish WebTrust, an audit scheme that rigorously evaluates the generally accepted processes and controls that a certification authority should assert to exact confidence.

What Does a Private Certification Authority Do?

However, most certification authorities are not in the public domain—rather, they operate behind a private enterprise’s firewall and issue certificates that:

Secure Website Communication
  • Verify the authenticity and integrity of the website.
  • Encrypt the data transmitted between the user's browser and the website.
  • Establish a secure connection, indicated by the padlock symbol in the browser's address bar.

Encrypt Email and Digital Signatures
  • Ensures the content of the email remains confidential and can only be accessed by the intended recipient.
  • Verify the authenticity and integrity of an email through digital signatures that confirm the sender's identity has not been tampered with and the content remains unchanged.

Protect Document and Code Signing
  • Authenticate the integrity and authenticity of digitally signed PDFs, contracts, and other electronic documents.
  • Assure users that the software application code and its relevant updates have not been tampered with and come from a trusted source.

Control Authentication and Access

  • Enable secure login mechanisms—such as two-factor authentication (2FA) or multi-factor authentication (MFA)—that certifies only authorized users can access protected resources or perform privileged actions.

Regulate Virtual Private Network (VPN) and Remote Access
  • Allow remote users to securely access internal networks and resources using an encrypted connection that prevents unauthorized access and data interception.

Secure IoT Devices

  • Authenticate the identity of the IoT devices
  • Establish secure communication channels with backend systems, ensuring data privacy and integrity.

Timestamp Code and Documents

  • Verify the existence and integrity of a document or code at a specific point in time, serving as proof of creation or modification.

Clearly, private CAs play a crucial role in ensuring secure communication and digital transactions by issuing and managing digital certificates to internal entities, despite not being subject to the same WebTrust audit obligations.

6 Benefits of WebTrust for Private Certification Authorities

Still, private CAs can choose to undergo a WebTrust for CA assessment to benchmark their policies, processes, and controls against a widely established standard to identify weaknesses in critical infrastructure—in fact, obtaining a WebTrust assessment can benefit a private CA in at least six ways:

1. Enhanced Credibility

 

Because WebTrust is a widely recognized assurance program developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), undergoing a WebTrust assessment demonstrates a commitment to meeting industry best practices and standards, boosting credibility and trustworthiness in the eyes of clients, partners, and other stakeholders.

2. Competitive Advantage in the Marketplace

 

Many organizations and individuals prioritize working with CAs that have undergone independent audits and obtained a recognized WebTrust seal. Evidencing an unqualified WebTrust audit report with a WebTrust seal can differentiate the CA from competitors who may not have undergone such assessments, thereby attracting more customers and business opportunities.

3. Successful Regulatory Compliance

 

Depending on jurisdiction, there may be specific regulations or industry requirements that CAs must meet.

Because WebTrust assessments align with various frameworks and standards, successfully obtaining a WebTrust seal can help a CA demonstrate compliance with relevant laws, regulations, and guidelines, which can be beneficial in sectors like finance, healthcare, or government where compliance is of utmost importance.

4. Increased Customer Confidence

 

A WebTrust seal provides customers with an additional level of assurance regarding the CA's practices and the security of its digital certificates, which can instill confidence in customers, assuring them that their transactions and communications are protected by reliable and secure certificates.

Increased customer confidence can lead to higher customer retention rates and positive word-of-mouth referrals.

5. Better Risk Mitigation

 

During a WebTrust assessment, auditors will evaluate the CA's policies, procedures, controls, and security measures related to its certificate issuance, governance and management processes. As part of that process, any weaknesses or vulnerabilities in its operations will be identified so that corrective action can be taken to mitigate risks.

This proactive approach helps safeguard the CA's infrastructure, data, and operations, reducing the likelihood of security breaches, fraud, or non-compliance.

6. Encouraged Continuous Improvement

 

WebTrust assessments also involve evaluating the CA's operations against established criteria, which can help identify opportunities to enhance efficiency, security, and customer service. By participating in the WebTrust program, CAs can establish a cycle of continuous improvement that sees them regularly evaluate and enhance their processes, ensuring they stay up-to-date with evolving industry standards and customer expectations.

WebTrust Assessment Options

While these specific advantages may vary depending on the CA's business model, industry, and customer base, overall, a WebTrust assessment provides a robust framework for CAs to enhance their credibility, competitiveness, security, and compliance practices.

Should you consider investing in WebTrust, there are three assessments to consider:

Assessment

Details

Readiness Assessment

Though not a recognized audit like the other two options, this is a key first step in identifying the maturity and trustworthiness of your private certification authority. A readiness assessment:

 

 

  • Is designed to identify any gaps within your current control environment, as well as any controls that should be implemented or improved before an actual audit takes place.
  • Your organization will present evidence—usually in the form of documents or system configurations—that WebTrust auditors will determine is adequate within a WebTrust audit.
  • A readiness assessment does not include the analysis of evidence for conformity.

Point-in-Time Assessment
  • Involves your providing evidence asserting conformity to WebTrust standards to an auditor who evaluates it to determine if controls are adequately designed to meet the WebTrust criteria.
  • There is no examination of operational performance history.

Period-of-Time Assessment
  • Involves both the same design review of the CA and its operational effectiveness against WebTrust standards performed during the point-in-time assessment, as well as an evaluation of operational records over a stated period of time.
  • Unlike the point-in-time assessment, there is also a sampling of historical records to determine the CA’s consistent operational effectiveness compliance with WebTrust standards.

Next Steps

In our experience, many private CAs are understaffed, lacking the policies, procedures, and segregated duties required for sensitive, highly secure operations. When we assess them against WebTrust best practices, they are often surprised at the substantial risk pervaded by the lack of controls within their critical infrastructures and secure internal processing.

But that’s why these WebTrust assessments can help—despite there being no obligation to undergo one as there is for public CAs, those that are private can benefit in the many aforementioned ways.

If your organization operates its own private certification authority and you’re interested in learning more about WebTrust and partnering with Schellman, contact us for a free initial consultation on whether one of these assessments is right for your infrastructure and its risk posture.

About Scott Perry

Scott Perry is a Principal at Schellman where he heads up its crypto and digital trust services practice. Prior to joining Schellman in 2022, Scott owned and operated his own firm specializing in cybersecurity consulting audits and governance, GRC implementation, digital identity and verifiable credentials, and WebTrust. Scott is also a Steering Committee member and co-Chairs the Governance Stack Working Group for the Trust Over IP Foundation (a Linux Foundation project). Scott has worked with the world's most respected SSL-certificate issuers, aerospace and defense companies, and government agencies. He has authored and contributed to a comprehensive governance and trust assurance methodology suite for Trust Over IP, has written a key chapter on Trust Assurance in a published book on Self Sovereign Identity and the FinClusive Rulebook. As a hands-on crypto and cybersecurity consultant and auditor, Scott provides deep and impactful advice that you would expect from a leader in the field.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.