7 Horizontal PKI assurance schemes

7.1.1 This section describes two emerging 'horizontal' schemes for assurance of PKI and trust service providers. As they develop, they are likely to be increasingly relevant to S.E.E. PKI, because of the cross-recognition implications.

7.2 WebTrust

7.2.1 Developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), the WebTrust programme establishes standards for the issuance of digital certificates to engender confidence on the part of users.

7.2.2 Through an independent assessment conducted by a specially trained auditor, WebTrust confirms:

• the integrity of the CA root certificates generated by applicants

• that applicants have established the appropriate key and certificate life cycle management controls prior to becoming active, and

• that these controls are maintained and monitored on an on-going basis.

7.2.3 There are over 20 sites approved by WebTrust so far, including Verisign, Entrust.net and Digital Signature Trust. The WebTrust programme has been adopted by accountancy institutions in more than 15 countries including Argentina, Australia, Austria, Canada, Denmark, England and Wales, France, Germany, Hong Kong, Ireland, Italy, Netherlands, Spain and the US.

7.2.4 The most significant endorsements of WebTrust to date come from Identrus, which requires WebTrust (or SAS 70) compliance of its members' CAs, and from Microsoft, which announced in May 2001 that it requires a WebTrust audit of CAs wishing to distribute their root certificate through Microsoft software.

7.2.5 It is unclear whether there is any move towards adoption of WebTrust in NZ (this could be facilitated by the Institute of Chartered Accountants of New Zealand, ICANZ). Multinational audit firms with WebTrust accredited staff will be able to offer WebTrust services in New Zealand. With widespread take-up of this programme in comparable countries, it can be expected to have an effect eventually in this country, and therefore it is advisable to keep an eye on developments.

7.3 tScheme

7.3.1 The UK's embryonic tScheme was borne out of the European Electronic Signature Standardisation Initiative (EESSI), which anticipated co-regulatory models for ensuring dependable operation of PKI service providers. tScheme is an industry led certification initiative set up in 1999 to approve "trust service providers". It was established as an independent not-for-profit company, limited by guarantee (tScheme Ltd) with a fully elected board confirmed just in May of this year. It will seek membership through subscription from trust service providers, technology suppliers, users, governments, trade associations, certification bodies and so on. tScheme says it will cooperate with equivalent organisations across Europe and elsewhere with a view to extending mutual recognition.

7.3.2 tScheme develops, authorises and publishes sets of criteria called Approval Profiles, against which trust service providers will be assessed. To obtain the tScheme approval mark, trust service providers must apply to a UK Accreditation System (UKAS) accredited auditor for an independent assessment. Organisations satisfactorily meeting the Approval Profiles will then be bound by contractual terms to ensure that good practice continues. The mark has to be renewed and can also be revoked.

7.3.3 As yet there are no tScheme-approved Trust Services. Pilot testing of the initial tScheme profiles has been completed and the results are currently in evaluation.

7.3.4 As it is in the early stages of development, this scheme would not appear to have much direct relevance to NZ at this time. A 'watching brief' would appear to be appropriate.