Auditors Report
To Entrust Limited (Entrust):
We have examined the assertion by the management of Entrust that during the period March 1,
2009 through February 28, 2010, for its Entrust Extended Validation (EV) SSL Certification
Authorities services at Ottawa, Canada, Entrust has:
Disclosed its EV Certificate life cycle management practices and procedures,
including its commitment to provide EV Certificates in conformity with the
CA/Browser Forum Guidelines, and provided such services in accordance with its
disclosed practices.
Maintained effective controls to provide reasonable assurance that:
- EV Subscriber information was properly collected, authenticated (for the
registration activities performed by Entrust) and verified, and
- The integrity of keys and EV certificates it manages is established and
protected throughout their life cycles,
in accordance with the WebTrust for Certification Authorities - Extended Validation Audit
Criteria.
Entrust is responsible for its assertion. Our responsibility is to express an opinion based on our
audit.
Our audit was conducted in accordance with standards for assurance engagements established by
the Canadian Institute of Chartered Accountants (CICA) and, accordingly, included
(1) obtaining an understanding of Entrusts EV certificate life cycle management practices and
procedures, including its relevant controls over the issuance, renewal and revocation of EV
certificates,
(2) selectively testing transactions executed in accordance with disclosed EV certificate life cycle
management practices,
(3) testing and evaluating the operating effectiveness of the controls, and
(4) performing such other procedures as we considered necessary in the circumstances.
We believe that our audit provides a reasonable basis for our opinion.
In our opinion, Entrusts management assertion, as referred to above, is fairly stated, in all
material respects, in accordance with the WebTrust for Certification Authorities - Extended
Validation Audit Criteria.
The relative effectiveness and significance of specific controls at Entrust and their effect on
assessments of control risk for subscribers and relying parties are dependent on their interaction
with the controls, and other factors present at individual subscriber and relying party locations.
We have performed no procedures to evaluate the effectiveness of controls at individual
subscriber and relying party locations.
Because of inherent limitations in controls, error or fraud may occur and not be detected.
Furthermore, the projection of any conclusions, based on our findings, to future periods is subject
to the risk that the validity of such conclusions may be altered because of changes made to the
system or controls, or the failure to make needed changes to the system or controls, or a
deterioration in the degree of effectiveness of the controls.
This report does not include any representation as to the quality of Entrust's services beyond those
covered by the WebTrust for Certification Authorities Extended Validation Audit Criteria, nor the
suitability of any of Entrust's services for any customer's intended purpose.
Entrusts use of the WebTrust for EV Seal constitutes a symbolic representation of the contents
of this report and it is not intended, nor should it be construed, to update this report or
provide any additional assurance.
Deloitte & Touche LLP
Chartered Accountants
Toronto, Ontario
April 9, 2010
Assertion of Entrust as to
its Disclosure of its Business Practices and its Controls
over its EV SSL Certification Authority Operations
during the period from March 1, 2009 through February 28, 2010
Our Commitment to Security, Controls and Integrity:
Entrust Limited (Entrust) is committed to providing the highest level of security, controls and
integrity to support its certification authority branded Entrust EV Certification Services in
accordance with its disclosed practices described in the Entrust Certificate Services CPS for EV
SSL Certificates, Version 1.2, December 3, 2009.
In 2009, we subjected our certification authority business practices to the highest level of audit in
the form of the AICPA/CICA WebTrust for Certification Authorities, audited by Deloitte & Touche
LLP in accordance with the AICPA/CICA WebTrust Criteria.
Since we have already had that audit performed, in order to continue to issue recognized EV
Certificates, we are required to successfully complete an audit against the WebTrust for
Certification Authorities Extended Validation Program.
Our Assertion With Respect to WebTrust for Certification Authorities Extended
Validation Audit Criteria
Entrust is responsible for establishing and maintaining effective controls over its CA operations,
including its CA business practices disclosure and service integrity (including key and certificate
life cycle management controls) controls. These controls contain monitoring mechanisms, and
actions are taken to correct deficiencies identified.
There are inherent limitations in any controls, including the possibility of human error and the
circumvention or overriding of controls. Accordingly, even effective controls can provide only
reasonable assurance with respect to Entrusts Certification Authority operations. Furthermore,
because of changes in conditions, the effectiveness of controls may vary over time.
In Entrusts opinion, in providing its Entrust EV SSL Certification Authorities services at Ottawa,
Canada, during the period March 1, 2009 through February 28, 2010, Entrust has:
Disclosed its EV Certificate life cycle management practices and procedures,
including its commitment to provide EV Certificates in conformity with the
CA/Browser Forum Guidelines, and provided such services in accordance with its
disclosed practices,
Maintained effective controls to provide reasonable assurance that:
- EV Subscriber information was properly collected, authenticated (for the
registration activities performed by Entrust) and verified, and
- The integrity of keys and EV certificates it manages is established and
protected throughout their life cycles,
in accordance with the WebTrust for Certification Authorities Extended Validation Audit Criteria.
Our commitment to these principles and criteria is on-going. Every twelve months, Deloitte &
Touche LLP may verify our continuing compliance with the AICPA/CICA WebTrust for
Certification Authorities criteria and the WebTrust for Extended Validation Audit Criteria, subject
to re-engagement by Entrust.
Bruce Morton
CA Operations Manager
