Audit Criteria on Risks, Liabilities and Obligations

The following snapshots are not authoritive and are to some extent interpolated. There may be errors. Refer to the sources for the authoritive information.

DRC

Following are summary of Criteria that refer to R/L/O.

A.1.h The configuration-control specification controls the revision process for the declarations of risks and liability (see A.6).
A.3.e The CPS details the obligations of subscribers regarding the management of their certificates.
A.3.j The CPS describes which aspects of the CAs operations involve protected intellectual property and what protections and licenses are involved. The property status of the following shall be addressed: .... declarations of risks and liability ....
A.4.d The privacy policy describes how an individual may obtain access to a subscribers written acceptance of liability (see A.6.d).
A.6.a The CA maintains documentation of the risks to end-users created by their reliance upon subscriber certificates issued by the CA.
A.6.b The CA maintains documentation of the liability it assumes when issuing subscriber certificates.
A.6.c The CA maintains documentation of the liability assumed by subscribers when they use certificates issued by the CA.
A.6.d The CA obtains written acceptance from subscribers of the liability (cited in A.6.c) they assume.
B.2.c The statement of risks (cited in A.6.a) is available to subscribers and the general public.
B.2.d The statement of the CAs liability (cited in A.6.b) is available to subscribers and the general public.
B.2.e The statement of the subscribers liability (cited in A.6.c) is available to subscribers and the general public.
B.2.f The statement of each subscribers acceptance of liability (cited in A.6.d) is available to those who present appropriate cause to request it.

WebTrust

By way of comparison, here are some extracts from the WebTrust criteria. The Original is on the WebTrust site and is authoritive.

4. Any applicable provisions regarding apportionment of liability
5. Financial responsibility, including:
- Indemnification by relying parties
- Fiduciary relationships
14. Subscriber obligations, including:
- Accuracy of representations in certificate application
- Protection of the subscribers private key
- Restrictions on private key and certificate use
- Notification upon private key compromise
15. Relying party obligations, including:
- Purposes for which certificate is used
- Digital signature verification responsibilities
- Revocation and suspension checking responsibilities
- Acknowledgment of applicable liability caps and warranties

The Extended Validation add-on to WebTrust

A recent upgrade or add-on to WebTrust is the Extended Validation ("EV") programme. This programme also includes some new criteria on R/L/O, below.

EV4. The CA maintains controls and procedures to provide reasonable assurance that Subscriber Agreements
- are signed by an authorized Contract Signer
- names the applicant and the individual Contract Signer, and
- contains provisions imposing obligations and warranties on the Application relating to
  - the accuracy of the information
  - protection of Private Key
  - acceptance of EV Certificate
- use of EV Certificate
- reporting and revocation upon compromise
- termination of use of EV Certificate
(See EV Certificate Guidelines Section 12)
EV10.2. The CA maintains controls to provide reasonable assurance that RAs, subcontractors, and Enterprise RAs are contractually obligated to comply with the applicable requirements in the EV Certificate Guidelines and to perform them as required of the CA itself.
(See EV Certificate Guidelines Section 12)
EV18. The Certificate Authority maintains controls to provide reasonable assurance that EV Certificates are revoked on the occurrence of any of the following events:
- ...
- The CA receives notice or otherwise that a Subscriber violates any of its material obligations under the Subscriber Agreement;
- ...
(See EV Certificate Guidelines Section 27 (b) and Section 23)

The EV criteria above should be read as in addition to the WebTrust criteria, and not as a replacement.