PKI Policy, Practices and Audit

howmanyMotivation for study

  • Current Public Key Infrastructure (PKI) Standards do not adequately consider Levels of’ Assurance'(“one size fits none”);
  • There are PKI “Oligopolies’of’Trust”’ that limit cooperation between governing bodies, thereby impeding global interoperability;
  • While there are many domain-specific PKI Authorities in place, there is need for more consistent security and auditing standards, policies and procedures that drive these entities;
  • ISO 21188:2006 “Public key infrastructure for financial services – Practices and  policy framework”, apart from its domain-specific focus, no longer represents current best practices;
  • Security breaches in the Certification Authority (CA)/Browser space have occurred, causing ‘government agencies to recommend tighter network standards;
  • There is wide variation among PKI governance bodies on the nature, purpose, timing and methodologies of a PKI Audit;
  • Overarching PKI guidance is required to create greater consistency in governance practices and greater interoperability between domain-specific authorities.

The following represents a starter set of questions/topics that are proposed to be addressed by the Study Period.
PKI StandardsGovernance

  • Do we need an ISO Certification Schema to help drive domain-specific needs?
  • How would one define a LoA for a PKI?
  • What standards unite disparate certificate types such as identity and SSL cert PKI systems?
  • How can ISO emerge as a global leader in this space?
  • How will PKI be affected by greater global focus and investment in cyber security?”

PKI Audit

  • What constitutes an auditable requirement/practice statement?
  • Should all audits be consistent? Are there different types of PKI that need different kinds of’audit? Can they be characterized down to a few types?
  • How does one change auditing culture (i.e., auditor as advocate for improvement vs. auditor as policeman)? Is it wise in all cases?
  • What should be done about audit findings and by whom?
  • How can ISO establish itself as a widely recognized global reference source for PKI audit?
  • What should be the experience, qualifications for a Lead Auditor and Staff Audito in PKI?’

See experience from:

  1. TC68/SC2
  2. ITUHT’Q11/17 Erik Anderson
  3. ETSI Standards and EU Standardisation of Trust Service Providers –Nick Pope (ETSI)
  4. JTC’1/SC6
  5. JTC’1/SC27
  6. ISACA (E-commerce and Public Key Infrastructure (PKI) Audit /Assurance Programme


  • US Study Period Presentation based on the proposal SC27N12297
  • ITU-T ‘Q11/17 Presentation-Planned PKI activities for ITU-T ‘Study Period 201342016
  • ETSI Standards and EU Activities
  • Special Report SR 001 604; Rationalised Framework for Electronic Signature


  • EN 319 401: General Policy Requirements for Trust Service Providers supporting Electronic  Signatures
  • EN 319 411-2: Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates
  • EN 319 411-3: Part 3: Policy Requirement for Certification Authorities issuing public key certificates
  • Guidance for Auditors and CSPs on ETSI TS 102 042 for Issuing Publicly Trusted TLS/SSL


  • Trust Service Provider Conformity Assessment General requirements and guidance
  • JTC1 SC6 (ANS1/OID/Directories)
  • ISACA – E-commerce and Public Key Infrastructur'(PKI) Audit/Assurance Programme

Make comments to this article in order to receive more info


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s