CBRS PKI Root of Trust Operator FAQ

Q - Document CBRS PKI Root of Trust Operator Requirements states “… provide a statement from an independent WebTrust licensed practitioner qualified to perform WebTrust CA audits of its satisfaction of the requirements …”. If the WebTrust audit for the CBRS Root CA will not be completed by the Submission Deadline (6 July 2017), would it be possible to provide the final auditor’s statement later, once the Root CA has been established?
A - Yes. The supporting information/evidence needs to be provided along with the proposal including a letter saying the webtrust audit is in progress and the expected date that it will be completed.

Q: If WebTrust audit has not completed by the deadline for the proposal to be submitted will I be disqualified?
A: No. So long as the proposal is submitted by the deadline, the organization will be considered as having applied. However, final approval will be delayed until the audit report has been received and reviewed.  

Q: Is the notification of proposal acceptance still July 13 or will this also be moved out?

A: Our anticipation is that we can still send acceptances out on July 13.

Q: Regarding item #2, specifically, “proposals will not be considered until the webtrust audit is done”, does this imply that WebTrust audits must be completed by July 13 or at some later date?
A: No, the steering group has indicated that so long as the proposal is submitted by the defined date, the web trust audit results can be provided later. However, the proposal will not be considered until the WebTrust audit is complete, so you may not get an acceptance on 13 July without it.

Q: What is required from the WebTrust Auditor during the proposal?
A: The requirement is stated as follows:

  1. CAs shall contact the auditor directly, and shall enter into such agreement and pay such price as the auditor shall determine.
  2. The auditor shall submit an audit report to WInnForum using an approved form provided by WInnForum for that purpose.
  3. A completed report shall state that the applicant CA had met the accreditation criteria, and shall include substantiating data.

To meet this requirement during the proposal phase, the candidate Root of Trust operator must provide a letter from their WebTrust Auditor  indicating that “this Certificate Authority is, in their assessment, capable of complying with the requirements stated in the Policy based on a review of similar programs.

Have a question? Submit it today.