Blog

Certificate Authorities and the importance of WebTrust

Mar 11, 2021, 09:51 AM by Riaan De Villiers
In today's post we discuss the importance of the WebTrust standard for trusted Certificate Authorities that can issue public trust digital certificates.

Certificate Authorities and the importance of WebTrust

Creating trust in online commerce.
Photo by Pixabay from Pexels.

Managing identities and authentication is an important priority in the financial industry.

Using a stringent identification process could maintain or improve your reputation, it could help you avoid fines and prevent fraud and money laundering.

Public Key Infrastructure (PKI) is the framework of encryption and cybersecurity that identifies people and protects communications between the server (your website) and the client (the users).

PKI can be leveraged by banks to create trusted digital identities for their users and customers. To give a digital identity to a person, a Certificate Authority (CA) will issue a digital certificate to the person. The cryptography provided by the digital certificate is critical to secure communications and transactions.

CA’s play is an important role in PKI and there is a requirement for a standard that will address the needs and concerns of PKI users and service providers.

The WebTrust standard is a set of principles designed to follow international information security best practices. By implementing WebTrust, users of the CA’s services can rest assured that their transactions are protected by stringent rules, procedures and policies.

WebTrust

WebTrust was developed by the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA). The goal of the standard is to promote confidence and trust between consumers and businesses on the Internet.

To create trust, a series of principles and criteria was designed to guide CAs to developing secure processes and policies.

These principles are:

  • Security: The system must be protected against unauthorized access, both logical and physically.
  • Availability: The system is available to users for operation.
  • Processing Integrity: All processing is complete, accurate, timely and authorised.
  • Online privacy: Personal information is collected, used, disclosed and retained as stipulated in the company policy.
  • Confidentiality: Information that has been designated as confidential is protected as stipulated in the company policy.

To provide assurance that CAs have implemented all the required controls to meet WebTrust’s requirements, the CA must be audited annually by an accredited auditor. The result of the audit must be public.

To be transparent to the public, the CA is required to disclose its Certificate Practice Statement and Certificate Policy. These are the procedures that the Certificate Authority follows to govern the lifecycle of the digital certificates issued in a secure manner to users.

The CA further has the responsibility to maintain controls to provide reasonable assurance of service integrity and that the adequate controls are in place to protect their environment.

Use Cases

Accountability and non-repudiation

For financial institutions and other organisations that transact digitally, accountability is an important component of transacting. By embedding a digital certificate coupled with strong authentication in a transaction, the data is protected against tampering and it provides accountability.

Accountability, also known as non-repudiation, makes it very hard for a user to deny, after the fact, that they committed the transaction.

Advanced electronic signatures

In South Africa, if a CA carries WebTrust accreditation and has been accredited by the South African Accreditation Authority as a Cryptography Service Provider, the CA will be in a position to issue Advanced electronic signatures

electronic signatures and their subsets

Electronic signatures and their subsets.

In South Africa, Advanced electronic signatures are deemed to be very reliable and carries prima facie validity. In court, the burden of proof is moved from the defendant on to the plaintive, meaning that the plaintive will have to prove that the signature on the document is not valid.

In South Africa, the following documents must be signed with an Advanced electronic signature:

  • Notarisation of documents required by law.
  • Where there is a legal requirement for the document, signature or statement to be notarised, acknowledged, verified or made under oath.
  • Suretyships.
  • Exclusive Licensing agreements.
  • Credit agreements governed by the National Credit Act where signing does not take place in person.
  • Any document where a signature is required by law and the law does not specify the type of signature required.
  • Certification of documents as true copies.

For a CA to become WebTrust accredited takes a lot of expertise, hard work and passion. By dealing with a WebTrust accredited Certificate Authority, users can be assured that they are protected by a dedicated team that follows international information security best practices.

Find out more about WebTrust and how WebTrust can help your organisation, contact LAWtrust today.