I think it has also been discussed of the consistency between WebTrust auditors. The WebTrust for CA use of criteria and illustrative controls may leave to much room for interpretation by an auditor. There is also the potential gap between the WebTrust licensed firm and the individual auditors which again leaves room that the firm is properly training its auditors in how to conduct/understanding of PKI operations.
The US Federal PKI has created its own criteria that relies on a direct CP-to-CPS analysis. An FPKI affiliate may use any audit standard as long as it includes an addendum that a CP-to-CPS analysis was conducted along with annual core requirements. WebTrust has recognized this additional requirement as part of their Certification Compliance Matrix. If anyone is interested, FPKI Compliance Audit Requirements can be found here https://www.idmanagement.gov/IDM/s/article_detail?link=fpki-audit-info NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy