Clarification about WebTrust CA and WebTrust BR audit statements

[Kathleen Wilson]

I have been asked the following question about why both the "Principles
and Criteria for Certification Authorities 2.0” and the “SSL Baseline
Requirements Audit Criteria” are required.

== Question ==
As far as we know the principles of both standards are identical, except
for technical network security specifications “SSL Requirements Baseline
Audit Criteria” as shown in the following matrix::

WT CA 2.0 CA Principles -- WT BR SSL 2.0 Principles

P1. CA Business Practices Disclosure -- P1. Baseline Requirements
Business Practices Disclosure

P2. CA Environmental Controls -- P3. CA Environmental Security

P3. Service Integrity -- P2. Service Integrity

none -- P4. Network and Certificate Systems Security Requirements

We consider that is enough to comply with “SSL Baseline Requirements
Audit Criteria” for the certifications under the scope. Would you be so
kind to let us know the reason to ask for both standards? Based on our
understanding, this situation increases the costs of accreditation for
quality, security and reliability of WebTrust, ... in addition to cause
confusion.

Please, we would like to clarify this issue.
== END Question ==

My question: If the CA is only requesting the Websites trust bit
(non-EV), then is it sufficient for them to only get a WebTrust BR audit
statement?

Of course, if the CA is also requesting the email and code signing trust
bits, then they must have an audit statement that applies to email and
code signing certs (i.e. WebTrust BR audit statement alone is not
sufficient).

Kathleen

[Kathleen Wilson]

From Don Sheehy: They are completely different in their application.
SSL Baseline only cover the CAB baseline requirements and do not cover
the more detailed requirements for WebTrust certification (and initial
acceptance). WebTrust for CA covers accepted practices for a CA -
additional SSL Baseline were brought in just to deal with specific
additional issues.