INDUSTRY EXPERTS COLLABORATE WITH CPAs TO IMPROVE TRUST ON
ENHANCED INTERNET SECURITY STANDARDS TO BE DEVELOPED BY ISSUERS
AND USERS OF DIGITAL CERTIFICATES
NEW YORK, JULY 22, 2002 - The
American Institute of Certified Public Accountants (AICPA), the Canadian Institute
of Chartered Accountants (CICA) and the PKI Forum recently sponsored a summit
meeting to discuss ways of improving trust on the Internet. The Internet's leading
digital certification authorities (CAs), Web browser providers, digital certificate
users, industry trade associations, regulators and CPA firms met to collaborate
on enhancing the standards required for identifying, authenticating and authorizing
subscriber requests for digital certificates to be used over the Internet.
"Security is the cornerstone of a trustworthy
foundation for the Internet, and public key technology is one of the most important
components of reliable Internet security," said Ryan Hurst, Program Manager,
Microsoft, Inc. "Among prevailing Internet security protocols, public key
technology is capable of providing the levels of encryption, authentication, identification
and security to help maintain effective trust in electronic commerce. This summit
is another step towards building a common framework for PKI security on which
all providers can agree and all users can rely with confidence."
The participants agreed that several major
issues affecting the acceptance, use and comparability of digital certificates
must be resolved, including levels of assurance assigned to certificates; required
identification, authentication and authorization procedures; consistent application
of standards across the CA industry; and accreditation of root and subordinate
CAs under the WebTrust for Certification Authorities Program. Solutions
discussed at the summit included a multi-level classification system for digital
certificates, each with increasing levels of reliability and associated registration
"The WebTrust for Certification Authorities
Program is becoming recognized as the de facto standard governing CA best
practices for issuing digital certificates," said Ben Golub, Senior Vice
President of Trust and Payments Services for VeriSign, Inc. "We believe authentication
and identification practices are inextricably linked to technology infrastructure
controls and establish the trustworthiness of public key-based systems. By providing
assurance around information and independently examining systems against a set
of measurable criteria and control frameworks, the accounting profession can contribute
greatly to ensure that digital certificate users have a sound framework on which
to base their trust in the technology."
"With PKI deployment taking place around
the globe, it is wonderful to see so many diverse organizations working together
to address certificate usage standards," said Lisa Pretty, President, PKI
Forum. "PKI technology standards are well advanced and the time is right
to enhance usage standards to give end users a higher level of confidence when
using certificates across the Internet."
The evolving digital certificate landscape
is undergoing change:
In order to address some of these issues on
a going-forward basis, the AICPA/CICA, with the support of the PKI Forum, is establishing
an industry resource panel for summit participants to provide input to the accounting
profession on incorporating new and improved security and PKI standards into the
WebTrust for Certification Authorities Program and developing viable solutions
to accommodate the changes.
"The industry resource panel is being
formed to enhance these standards, particularly in the areas of authentication
and identification of certificate issuers, so that users can trust those with
whom they do business over the Internet," said Anthony Pugliese, Vice President,
Member Innovation, AICPA.
"The need to address these issues in a
forum like this is essential to broader acceptance of public key technology in
the marketplace," said Cairine Wilson, Vice President, Innovation, CICA.
"Never before have these various stakeholders been brought together in one
forum to resolve such fundamental Internet security issues."
Summit participants represented the following
organizations: American Bankers Association, American Bar Association, American
Institute of Certified Public Accountants (AICPA), American National Standards
Institute (ANSI), AOL Netscape, Baltimore Technologies, Bank Information Technology
Secretariat (BITS), BankOne, Canadian Institute of Chartered Accountants (CICA),
Canadian Payments Association, Deloitte & Touche LLP, Entrust, Ernst &
Young LLP, Federal Deposit Insurance Corporation (FDIC), Federal PKI Steering
Committee, GeoTrust, Inovant, KPMG LLP, Microsoft, National Institute of Standards
and Technology (NIST), Office of the Comptroller of the Currency (OCC), PKI Forum,
PricewaterhouseCoopers LLP, RSA Security, Treasury Board of Canada, VeriSign and
# # #
|About the AICPA
|The American Institute of Certified Public Accountants (AICPA)
is the ISO 9001 certified national professional organization of CPAs in the United
States with more than 340,000 members in public practice, business and industry,
government and education. For more information about the AICPA, please visit www.aicpa.org.
For more information about WebTrust for Certification Authorities, please visit
|About the CICA
|The Canadian Institute of Chartered Accountants (CICA) together
with the provincial and territorial institutes of chartered accountants represents
a membership of approximately 68,000 CAs and 8,000 students in Canada and Bermuda.
The CICA conducts research into current business issues and sets accounting and
assurance standards for business, not-for-profit organizations and government.
It issues guidance on control and governance, publishes professional literature,
develops continuing education programs and represents the CA profession nationally
|About the PKI Forum, Inc.
|The PKI Forum is an international, not-for-profit alliance comprised
of technology and service providers, integrators and end-users whose purpose is
to accelerate the adoption and use of PKI applications, digital certificates and
other real world solutions, as well as to facilitate interoperability through
multi-vendor testing of industry standards and educational outreach. The PKI Forum
serves as a global information resource for PKI and advocates cooperation and
market awareness enabling organizations to understand and exploit the value of
PKI in applications relevant to their businesses. For more information about the
PKI Forum, see the PKI Forum Web site at www.oasis-pki.org.