Page 22 - index
P. 22
on PKI services such as digital certificates from ACAs are more likely to benefit from services that are
constantly monitored and updated for modern-day threats and advancements in PKI technologies.
In addition, the subcommittee developed an ACA Certification process that CAs wishing to issue WEQ-
012-compliant digital certificates must follow. This process enhances accountability and enforcement of
ACAs through stronger auditing requirements.
Relooking minimum Key Sizes and signing algorithms:
PKI is based on the use of mathematically related public and private keys that encrypt and decrypt
secure messages, which are often delivered over unsecure networks. A lengthy discussion of PKI is not
required; the reader simply needs to understand the basics – the larger the key size, the more difficult it
is to hack into a secure session. However, as with most security solutions, there are trade-offs between
system performance and security. Since the initial release of WEQ-012, there have been significant
developments in how applications process the encryption and decryption of messages secured with PKI
keys. As supercomputing capabilities advance, hackers can compromise keys that just several years ago
were deemed unbreakable. In the revised standard, the PKI subcommittee addressed the need for
stronger key sizes and hash algorithms used to generate digital signatures, providing minimum
guidelines that align with National Institute of Standards and Technologies (NIST) recommendations.
Assurance levels:
As with most security implementations, the level of security applied to a given application should sync
up with the risk associated with a breach. The PKI Subcommittee followed the lead of the Federal
Bridge CA in terms of introducing assurance levels for areas such as identity verification, private key
protection, revocation checking frequencies and physical security of PKI systems. These assurance levels
enable applications relying on the standard to select the right level of security for their associated risks.
Striking the appropriate balance between cost, ease of use, business disruption and security is best
addressed through a multi-tiered assurance methodology rather than the one-size-fits-all assurance
level in the initial version of the standard.
Stronger auditing requirements:
As mentioned above, the development of a NAESB ACA Process introduced a method to better enforce
compliance with the ACA Accreditation Specification. Initial and annual recertification requires the ACA
to provide an independent audit, including a letter by a qualified auditor confirming that the ACA is
compliant with applicable assurance levels and versions of the specification that it claims to operate
against. One such method is to employ the AICPA Trust Services Principles, Criteria and Illustrations to
maintain evidence of WebTrust engagements.
Support for other sub-committees relying on WEQ-012
WEQ-012 is a stand-alone standard that can be incorporated by reference into standards developed for
business-specific applications. The PKI subcommittee supported two sub-committees - for eTagging and
EIR web registry transactions - that were incorporated under WEQ-012. Specifically, both applications
22 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
