Search

Public Key Infrastructure (PKI) assurance engagements

THE CHALLENGE

Trust is the foundation of all business. However, as more and more business is conducted online through e-commerce websites and IoT devices and faced with the ever-evolving threats of identity theft, fake e-commerce sites, and data breaches, securing online communications has never been more critical.

THE IMPORTANCE OF PUBLIC KEY INFRASTRUCTURE (PKI)

Organizations are increasingly relying upon the use of Public Key Infrastructure (PKI) to establish said trust.

A PKI is a set of roles, policies, and procedures to create, manage, distribute, use, store, and revoke digital certificates, ensuring that the confidentiality and integrity of online communications are maintained.

THE IMPORTANCE OF DIGITAL CERTIFICATES

Digital signatures are electronic credentials tied to cryptographic key pairs that are used to identify and authenticate the identity of a website, individual, organization, user, or device. Digital signatures allow for reliable business communications by providing confidentiality through encryption, authentication, data integrity, and a reasonable basis for nonrepudiation.

Digital certificates are a foundational aspect of PKI and essential for maintaining the confidentiality, integrity, and authenticity of digital communication, so protecting their authenticity and integrity is paramount.

THE IMPORTANCE OF CERTIFICATE AUTHORITIES (CAs)

Certificate Authorities (CAs)are independent, trusted third parties that issue and sign digital certificates. They play an essential role in a PKI, assuring both parties that certificates have been issued to legitimate organizations.

Given their importance, CAs are expected to adhere to a large body of existing national, international, and proprietary standards to maintain secure systems to protect the authenticity and integrity of the certificates they issue. Their adherence is also expected to be validated periodically by external parties like Richter.

 

Hands on a computer keyboard

 

HOW WE CAN HELP

WebTrust Assurance Reports

Richter is an enrolled WebTrust practitioner who can support preparing WebTrust engagement assurance reports under Canadian, U.S., and international assurance standards. We have performed these types of engagements for clients in the aerospace, aviation, and software (i.e., email encryption) industries. We can also use the framework as a benchmark for performing an internal or independent assessment as an internal auditor or an external independent practitioner as supported by the CA/Browser Forum.

Root Key Generation Witnessing

At the heart of any PKI is the Root CA. The Root CA is the most critical component of a PKI infrastructure. Ensuring the integrity of the Root CA is of utmost importance. As a best practice, any PKI established should have its Root CA key pair generation witnessed by an independent auditor, such as Richter. Richter can formally witness and document the creation of the Root CA’s private signing key and issue a formal, independent assurance report to the CA organization, which ensures the non-refutability of the integrity of the Root CAs’ key pairs, particularly the private signing keys.

CertiPath Assurance Reports

Richter can satisfy the compliance requirements imposed by CA companies, such as CertiPath, and perform these annual assurance engagements to cross-certify with them. Many CAs choose to cross-certify with the CertiPath PKI Bridge, which enables cross-organizational trust for its members, who operate high assurance identity credentialing systems known as Enterprise PKIs and several of whom are providers of Personal Identity Verification – Interoperable (PIV-I) credentials to other organizations.

As part of CertiPath’s cross-certification requirements, they request that each CA that cross-certifies with them or wishes to cross-certify with them undergo an annual attestation engagement by an independent auditor, such as Richter, to issue the following:

  • A Third-Party Auditor Certificate Practice Statement Compliance Analysis letter asserting that the Principal CA’s Certification Practices Statement (CPS)[1] implements the Certificate Policy (CP)[2]
  • A Third-Party Auditor Operational Compliance Analysis letter asserting that the Principal CA’s operations meet the associated Certificate Policy/Certificate Practice Statement requirements.

Richter has performed several annual CertiPath assurance engagements for many clients in the aerospace and aviation industries who wish to enter into a cross-certification relationship with CertiPath or need to demonstrate compliance annually to retain their cross-certification.

Adobe Approved Trust List (AATL) Assurance

The Adobe Approved Trust List program allows millions of users worldwide to create trusted digital signatures whenever the signed document is opened in Adobe® Acrobat® or Reader® software. Acrobat and Reader have been programmed to reach out to a web page to periodically download a list of trusted “root” digital certificates. Any digital signature created with a credential that can trace a relationship (“chain”) back to the high-assurance, trustworthy certificates on this list is trusted by Acrobat and Reader.

As part of AATL’s technical requirements, an audit must be performed regularly on the Issuing CA (ICA) and aims to prove that the potential member wishing to join the AATL program implements what is stated in its documentation, in particular, the CPS (Certificate Practice Statement) and CP (Certificate Policy) and that it achieves the level of security specified by the audit scheme which can be any of the following:

(a) ETSI EN 319 411-1 NCP

(b) ETSI EN 319 411-2 QCP-n or QCP-l

(c) WebTrust for CA v.2.0 or later;

(d) ISO 21188:2006

Richter has leveraged the WebTrust for CA audit scheme for an aviation industry client to perform an audit as a prerequisite for them to join the AATL program.

ATA Spec 42 Assurance

The ATA Spec 42 specification aims to guide the deployment of identity management solutions based on regulatory guidance such as FAA Advisory Circular 120-78A. These solutions may use digital signatures based on Public Key Infrastructure (PKI) technology with a “chain of trust” to a Certification Authority (CA), or other non-PKI electronic signature means to satisfy the identity assurance and data integrity requirements of the civil aviation industry.

As part of the ATA Spec 42 requirements, PKI operators (including airlines) or vendors who operate a CA must have an annual compliance audit performed by an independent, competent compliance auditor. This audit ensures that the requirements of their CP/CPS and the provisions of the contracts with any cross-certified CAs are being implemented and enforced. The annual compliance audit includes all CAs, Certificate Management Systems (CMS), and Registration Authorities (RAs). The compliance audit aims to verify that a component operates following the Entity’s CP, the applicable CPSs, and any other applicable agreement that governs the Entity PKI. The compliance audit includes an assessment of the applicable CPS against the CP to determine that the CPS adequately addresses and implements the requirements of the CP.

Richter can perform these audits based on our experience with other PKI industry audits.

Pre-Operational Audits

Organizations may wish to conduct a pre-operational, point-in-time audit of their PKI to determine if the controls and procedures contained in the CPSs are in place and operational. Such examinations would be performed following standards established by CPA Canada. The objective would be to audit management’s assertion about compliance with specific requirements within its CP and CPSs and issue an opinion. Richter has expertise in Public Key Infrastructure (PKI) audits and is an internationally recognized, approved, and enrolled WebTrust for Certificate Authority (CA) practitioner/auditor with CPA Canada.

 

 

[1] A Certification Practice Statement (CPS) defines the measures taken to secure CA operations and the management of CA-issued certificates.  You can consider a CPS to be an agreement between the organization managing the CA and the people relying on the certificates issued by the CA.  While the CP tells a user or maintainer what to do, the CPS tells them how to do it.  The CA’s CPS is a public document that should be readily available to all the participants so that a relying party can determine whether the certificates issued by that CA meet its security requirements.

[2] A Certificate Policy describes the measures taken to validate a certificate’s subject before certificate issuance and the intended purposes of the certificate.  For many organizations, the certificate-issuance policy determines whether the presented certificate will be trusted.  The CP also lets users, and PKI maintainers know how to apply for a certificate, the naming standards for certificates, and more.

Key Experts

View all
David Lachmansingh

David Lachmansingh

CISA, CISSP, CRISC, CCSK
Raymond Vankrimpen

Raymond Vankrimpen

CISA, CISM, CISSP, CRISC, QSA
David Greenham

David Greenham

CISSP, CCSP, CISM, CISA, QSA, SABSA SCF, ISO 27001 Lead Auditor
Go back up

© Richter LLP