As someone who HAS gone through both of these processes (WebTrust, Microsoft), let me shed some truth on some of the speculations here.
1) Microsoft doesn't charge anything to be "trusted"; they've primarily let the AICPA manage that through their "WebTrust for Certification Authorities" do that. (Microsoft will also allow the requestor to use another audit, but it's up to the CA to determine equivalency to WebTrust's audit.
Microsoft posts their requirements to get included in their Trusted Root List here: microsoft.com
Once you get a WebTrust audit seal and can prove to Microsoft that your CA will issue certs to something OTHER than your enterprise, you should be fine.
The WebTrust CA criteria was designed to help CAs follow a set of standardized evaluation criteria. Like an RFC tries to enforce that protocols are standard. The WebTrust criteria is available for free at the AICPA website (AICPA). There are almost 400 criteria that a WebTrust auditor will use to evaluate your CA (not just the "host" but all your CA company's policies, practices, and processes).
To the person who said that you could just "hire a bunch of lawyers" for $250,000 and pass, I say "I highly doubt that". The WebTrust audit requires their auditors to actually see and verify the CA complies with the requirements. A box of lawyers can't create CA issuance log files, show how you maintain your HSM, or prove that you keep your/etc/password file clean of employees who have left your company since the last audit.
2) Once CAcert gets a WebTrust Seal, then they can fill out the application at Microsoft's site. If they're accepted, they get into the next quarterly Root List update issued by Microsoft (next update: this month).
After they're "in the list", WinXP machines will automatically download the new root cert whenever IE/Outlook performs a certificate path validation operation and sees the CACert root. It's automagic. Older Windows OSes will need to get the new root list from the WindowsUpdate site.
Slashdot Mirror
As someone who HAS gone through both of these processes (WebTrust, Microsoft), let me shed some truth on some of the speculations here.
/etc/password file clean of employees who have left your company since the last audit.
1) Microsoft doesn't charge anything to be "trusted"; they've primarily let the AICPA manage that through their "WebTrust for Certification Authorities" do that. (Microsoft will also allow the requestor to use another audit, but it's up to the CA to determine equivalency to WebTrust's audit.
Microsoft posts their requirements to get included in their Trusted Root List here: microsoft.com
Once you get a WebTrust audit seal and can prove to Microsoft that your CA will issue certs to something OTHER than your enterprise, you should be fine.
The WebTrust CA criteria was designed to help CAs follow a set of standardized evaluation criteria. Like an RFC tries to enforce that protocols are standard. The WebTrust criteria is available for free at the AICPA website (AICPA). There are almost 400 criteria that a WebTrust auditor will use to evaluate your CA (not just the "host" but all your CA company's policies, practices, and processes).
To the person who said that you could just "hire a bunch of lawyers" for $250,000 and pass, I say "I highly doubt that". The WebTrust audit requires their auditors to actually see and verify the CA complies with the requirements. A box of lawyers can't create CA issuance log files, show how you maintain your HSM, or prove that you keep your
2) Once CAcert gets a WebTrust Seal, then they can fill out the application at Microsoft's site. If they're accepted, they get into the next quarterly Root List update issued by Microsoft (next update: this month).
After they're "in the list", WinXP machines will automatically download the new root cert whenever IE/Outlook performs a certificate path validation operation and sees the CACert root. It's automagic. Older Windows OSes will need to get the new root list from the WindowsUpdate site.