The basic requirements aimed at the Certificate Authorities (CAs) as issued by the CA/Browser forum state that the CAs ‘must annually develop and update their Certificate Policy’. 
It is also important for the CA to state how the Certificate Policy (or the “Practice Statement” for Certification) implements the basic requirements as stated in the latest version of the baseline. ‘The decisions regarding the identity should be taken with utmost care and should not be taken by the business’s or the infrastructure’s convenience.
A general problem as faced by a number of CAs is that the security policies developed by them lack the detailing and have a vague appeal to them. One of the very ...view middle of the document...
4.3 Regulatory Compliance
Regulatory compliance gives the standards, which need to be followed by a particular business. It comprises of guidelines, legalities, requirements and specifications. If a particular business doesn’t adhere to the regulatory compliance, it may result in repercussions like poor customer support or fines imposed by the government. PCI DSS (Payment Card Industry Date Security Standard) is an example of regulatory compliance regulation.
Over the time a number industry regulations have been formulated in order to keeping the standard of Certifications Authorities under a check. Few of these are: -
One of the first set of regulation which were implemented over the CAs was ‘WebTrust for CAs in the year 2000.Under this, a security audit was made a prerequisite for the maintenance of standards. The WebTrust standard was dominant in North America whereas a similar standard named European Telecommunications Standard Institute is accepted elsewhere for CA audits. For the Government CAs, annual or periodic performance audits are recommended as well. Few of the key areas of the audits are: -
• Disclosure of business processes
• Management of business processes and life cycle management
• Control and security of workplace environment
• Subscriber, subordinate and certificate life cycle management
The conformity and compliance to the standards as stated in the WebTrust or ETSI are ensure by the browsers or the applications (like Google and Microsoft), which make use of the trusted CA’s roots. Without a qualifying audit reports, the trust from CA’s root can be evoked.’ 
The CA Browser Forum was started in’ 2005 comprising of the CAs and the major browsers with an aim developing and raising the bar set by initial standards for the CAs. The work of this forum is carried on with the help of general meeting and teleconferencing, which are carried out multiple times a year. It also provides a good opportunity for the third parties and auditing bodies for participating in the working groups for the subject matter. The forum had also published a special set of guidelines for the Extended Validation in 2007. These are aimed at the CAs, which issue the Extended Validation certificates (EV). EV offers a higher level of trust and provides a special user interface and helps to display additional information of the websites.
More recently, in 2012, the higher standards offered by the EV guidelines have been extended for the SSL server certificate. The security breaches, which were carried in some of the biggest firms including the DigiNotar breach, the CAs, aimed to develop a higher security standard and infrastructure. This has also become applicable for the authorities that are capable of issuing a certificate through the means of publicly trusted root. Further, this lead to the development of the ”Network and Certificate System Security Requirements” in January 2013. This is one of the means in recent times to tackle the increasing...