Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

Why Private Certification Authorities Need WebTrust Assessments

In the digital marketplace, certification authorities (CA) play an important role as trust anchors on the Internet—their primary goal is to establish confidence, confidentiality, integrity, and authentication during various digital communication and transaction scenarios, enabling secure interactions and protecting sensitive information. But that makes it imperative that these CAs remain trustworthy themselves, and in this, WebTrust audits can help.

Digital trust is an emerging market that Schellman has dedicated an entire practice to—including offerings of WebTrust audits—and so in this article, we are going to expand on how certification authorities work, and why those that are private can benefit from undergoing a WebTrust audit, as well as your different assessment options.

How Do Certification Authorities Work?

We mentioned that certification authorities (CA) are considered trust agents and that’s because they issue authentication certificates that are used by web browsers to encrypt traffic from user client devices to the server hosting the site—in so doing, they provide consumers with assurance that websites are legitimate with rights to that domain.

Public certification authorities enhance their trustworthiness through the mandated startup and annual audits required by the Certification Authority / Browser (CA/B) Forum, an industry consortium that has worked with the audit community to establish WebTrust, an audit scheme that rigorously evaluates the generally accepted processes and controls that a certification authority should assert to exact confidence.

What Does a Private Certification Authority Do?

However, most certification authorities are not in the public domain—rather, they operate behind a private enterprise’s firewall and issue certificates that:

Secure Website Communication

  • Verify the authenticity and integrity of the website.
  • Encrypt the data transmitted between the user's browser and the website.
  • Establish a secure connection, indicated by the padlock symbol in the browser's address bar.

Encrypt Email and Digital Signatures

  • Ensures the content of the email remains confidential and can only be accessed by the intended recipient.
  • Verify the authenticity and integrity of an email through digital signatures that confirm the sender's identity has not been tampered with and the content remains unchanged.

Protect Document and Code Signing

  • Authenticate the integrity and authenticity of digitally signed PDFs, contracts, and other electronic documents.
  • Assure users that the software application code and its relevant updates have not been tampered with and come from a trusted source.

Control Authentication and Access

  • Enable secure login mechanisms—such as two-factor authentication (2FA) or multi-factor authentication (MFA)—that certifies only authorized users can access protected resources or perform privileged actions.

Regulate Virtual Private Network (VPN) and Remote Access

  • Allow remote users to securely access internal networks and resources using an encrypted connection that prevents unauthorized access and data interception.

Secure IoT Devices

  • Authenticate the identity of the IoT devices
  • Establish secure communication channels with backend systems, ensuring data privacy and integrity.

Timestamp Code and Documents

  • Verify the existence and integrity of a document or code at a specific point in time, serving as proof of creation or modification.

Clearly, private CAs play a crucial role in ensuring secure communication and digital transactions by issuing and managing digital certificates to internal entities, despite not being subject to the same WebTrust audit obligations.

6 Benefits of WebTrust for Private Certification Authorities

Still, private CAs can choose to undergo a WebTrust for CA assessment to benchmark their policies, processes, and controls against a widely established standard to identify weaknesses in critical infrastructure—in fact, obtaining a WebTrust assessment can benefit a private CA in at least six ways:

1. Enhanced Credibility

 

Because WebTrust is a widely recognized assurance program developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), undergoing a WebTrust assessment demonstrates a commitment to meeting industry best practices and standards, boosting credibility and trustworthiness in the eyes of clients, partners, and other stakeholders.

2. Competitive Advantage in the Marketplace

 

Many organizations and individuals prioritize working with CAs that have undergone independent audits and obtained a recognized WebTrust seal. Evidencing an unqualified WebTrust audit report with a WebTrust seal can differentiate the CA from competitors who may not have undergone such assessments, thereby attracting more customers and business opportunities.

3. Successful Regulatory Compliance

 

Depending on jurisdiction, there may be specific regulations or industry requirements that CAs must meet.

Because WebTrust assessments align with various frameworks and standards, successfully obtaining a WebTrust seal can help a CA demonstrate compliance with relevant laws, regulations, and guidelines, which can be beneficial in sectors like finance, healthcare, or government where compliance is of utmost importance.

4. Increased Customer Confidence

 

A WebTrust seal provides customers with an additional level of assurance regarding the CA's practices and the security of its digital certificates, which can instill confidence in customers, assuring them that their transactions and communications are protected by reliable and secure certificates.

Increased customer confidence can lead to higher customer retention rates and positive word-of-mouth referrals.

5. Better Risk Mitigation

 

During a WebTrust assessment, auditors will evaluate the CA's policies, procedures, controls, and security measures related to its certificate issuance, governance and management processes. As part of that process, any weaknesses or vulnerabilities in its operations will be identified so that corrective action can be taken to mitigate risks.

This proactive approach helps safeguard the CA's infrastructure, data, and operations, reducing the likelihood of security breaches, fraud, or non-compliance.

6. Encouraged Continuous Improvement

 

WebTrust assessments also involve evaluating the CA's operations against established criteria, which can help identify opportunities to enhance efficiency, security, and customer service. By participating in the WebTrust program, CAs can establish a cycle of continuous improvement that sees them regularly evaluate and enhance their processes, ensuring they stay up-to-date with evolving industry standards and customer expectations.

WebTrust Assessment Options

While these specific advantages may vary depending on the CA's business model, industry, and customer base, overall, a WebTrust assessment provides a robust framework for CAs to enhance their credibility, competitiveness, security, and compliance practices.

Should you consider investing in WebTrust, there are three assessments to consider:

Assessment

Details

Readiness Assessment

Though not a recognized audit like the other two options, this is a key first step in identifying the maturity and trustworthiness of your private certification authority. A readiness assessment:

 

 

  • Is designed to identify any gaps within your current control environment, as well as any controls that should be implemented or improved before an actual audit takes place.
  • Your organization will present evidence—usually in the form of documents or system configurations—that WebTrust auditors will determine is adequate within a WebTrust audit.
  • A readiness assessment does not include the analysis of evidence for conformity.

Point-in-Time Assessment

  • Involves your providing evidence asserting conformity to WebTrust standards to an auditor who evaluates it to determine if controls are adequately designed to meet the WebTrust criteria.
  • There is no examination of operational performance history.

Period-of-Time Assessment

  • Involves both the same design review of the CA and its operational effectiveness against WebTrust standards performed during the point-in-time assessment, as well as an evaluation of operational records over a stated period of time.
  • Unlike the point-in-time assessment, there is also a sampling of historical records to determine the CA’s consistent operational effectiveness compliance with WebTrust standards.

Next Steps

In our experience, many private CAs are understaffed, lacking the policies, procedures, and segregated duties required for sensitive, highly secure operations. When we assess them against WebTrust best practices, they are often surprised at the substantial risk pervaded by the lack of controls within their critical infrastructures and secure internal processing.

But that’s why these WebTrust assessments can help—despite there being no obligation to undergo one as there is for public CAs, those that are private can benefit in the many aforementioned ways.

If your organization operates its own private certification authority and you’re interested in learning more about WebTrust and partnering with Schellman, contact us for a free initial consultation on whether one of these assessments is right for your infrastructure and its risk posture.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.