KPMG IT Auditors P.O. Box 43004 3540 AA Utrecht The Netherlands

Rijnzathe 14 3454 PV De Meern The Netherlands Telephone +31 (0)30 658 2150 Fax +31 (0)30 658 2199

Independent Accountants’ Report Utrecht, 22 December 2009

To the Management of Buypass AS: We have examined the assertion by the management of Buypass AS, (hereafter: Buypass) that in providing its Certification Authority (CA) services at Oslo and Gjøvik, Norway during the period from 1 December 2008 through 30 November 2009 Buypass has: 

Disclosed its key and certificate life cycle management, business and information privacy practices in its: -

Certificate Practice Statement for Class 2 SSL Certificates, version v1.1, 6 November 2009;

-

Certificate Practice Statement for Class 3 (EV) SSL Certificates, version v1.11, 27 October 2009;

-

Certificate Practice Statement for Class 3 Enterprise Certificates, version 1.2, 18 June 2009.



Provided such services in accordance with its disclosed practices;



Maintained effective controls to provide reasonable assurance that:



-

Subscriber information was properly authenticated for the registration activities performed by Buypass; and

-

The integrity of keys and certificates it managed was established and protected throughout their life cycles.

Maintained effective controls to provide reasonable assurance that: -

Subscriber and relying party information was restricted to authorized individuals and protected from uses not specified in the CA’s business practices disclosure;

-

The continuity of key and certificate life cycle management operations was maintained; and

2010.KEN.0001a

KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682 and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative.

Independent Accountants’ Report WebTrust for Certification Authorities Utrecht, 22 December 2009

-

CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity,

based on the AICPA/CICA WebTrust for Certification Authorities Criteria. The management of Buypass is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion based on our examination. Our examination was conducted in accordance with International Assurance Engagement Standards and, accordingly, included 

Obtaining an understanding of Buypass’ key and certificate life cycle management, business and information privacy practices and its controls over key and certificate integrity, over the authenticity and privacy of subscriber and relying party information, over the continuity of key and certificate life cycle management operations, and over development, maintenance and operation of CA systems;



Selectively testing transactions executed in accordance with disclosed key and certificate life cycle management business and information privacy practices;



Testing and evaluating the operating effectiveness of the controls; and



Performing such other procedures as we considered necessary in the circumstances.

We believe that our examination provides a reasonable basis for our opinion. In our opinion, for the period 1 December 2008 through 30 November 2009, Buypass management’s assertion, as set forth above, is fairly stated, in all material respects, based on the AICPA/CICA WebTrust for Certification Authorities Criteria. Because of inherent limitations in controls, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that (1) changes made to the system or controls, (2) changes in processing requirements, (3) changes required because of the passage of time, or (4) the degree of compliance with the policies or procedures may alter the validity of such conclusions. The WebTrust seal of assurance for Certification Authorities on Buypass’ website constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. The relative effectiveness and significance of specific controls at Buypass and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations.

2010.KEN.0001a

2

Independent Accountants’ Report WebTrust for Certification Authorities Utrecht, 22 December 2009

This report does not include any representation as to the services of Buypass beyond those covered by the WebTrust for Certification Authorities Criteria, nor the suitability of any services of Buypass for any customer's intended purpose. On behalf of KPMG Advisory N.V. Utrecht, 22 December 2009

J.C. Boer RE RA Partner

2010.KEN.0001a

drs. ing. R.F. Koorn RE CISA Partner

3

O buypass

N

securing transactions

Assertion of Management as to its Disclosure of its Business Practices and its Controls Over its Certification Authority Operations during the period from December 1, 2008 through November 30, 2009

December 22, 2009 Buypass AS, (hereafter: Buypass), operates as a Certification Authority (CA) issuing the following certificates: •

Buypass Class 2 SSL Certificates (SSL Domain)

•

Buypass Class 3 SSL Certificates (SSL Business)

•

Buypass Class 3 Enterprise Certificates (Virksomhetssertifikater)

The following CA services are provided through the Buypass Class 2 CA and the Buypass Class 3 CA: •

Subscriber key management services (only Class 3 Enterprise Certificates)

•

Subscriber registration

•

Certificate issuance

•

Certificate distribution

•

Certificate suspension

•

Certificate revocation

•

Certificate renewal

•

Certificate status information processing

The management of Buypass is responsible for establishing and maintaining effective controls over its CA operations, including: • CA Business Practices Disclosure in the following Certification Practice Statements: o Certificate Practice Statement for Class 2 SSL Certificates , version v1.1, November 6, 2009, o Certificate Practice Statement for Class 3 (EV) SSL Certificates, version v1.11, October 27,2009, o Certificate Practice Statement for Class 3 Enterprise Certificates, version 1.2, June 18, 2009, •

Service integrity, including key and certificate life cycle management controls, and

•

CA environmental controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified.

There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls can provide only reasonable assurance with respect to Buypass' CA operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time.

_

BuypassAS

_

Nydalsveien 30A, PO Box 4364 Nydalen

Tel.: +4723 145900

E-mail: [email protected]

_

N-0402 Oslo, Norway

Fax: +4723 14 59 01

VAT: NO 983163327

www.buypass.no

Side 2 av 3

The management of Buypass has assessed the controls over its CA operations. Based on that assessment, in Management's opinion, in providing CA services, during the period from December 1, 2008 through November 30, 2009, Buypass has: •

Disclosed its key and certificate life cycle management business and information privacy practices and provided such services in accordance with its disclosed practices

•

Maintained effective controls to provide reasonable assurance that: o

Subscriber information was properly authenticated for the registration activities performed by Buypass; and,

o

The integrity of keys and certificates it managed was established and protected throughout their life cycles.

•

Maintained effective controls to provide reasonable assurance that: o

Subscriber and relying party information was restricted to authorized individuals and

o

The continuity of key and certificate life cycle management operations was

protected from uses not specified in the CA's business practices disclosure; maintained; and, o

CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity.

based on the AICPNCICA WebTrust for Certification Authorities Criteria (version 1.0, August 25, 2000) including the following:

CA Business Practices Disclosure

Service Integrity Key Life Cycle Management Controls

•

CA Key Generation

•

CA Key Storage, Backup, and Recovery

•

CA Public Key Distribution

•

CA Key Usage

•

CA Key Destruction

• •

CA Key Archival CA Cryptographic Hardware Life Cycle Management

Certificate Life Cycle Management Controls

•

Subscriber Registration

•

Certificate Issuance

•

Certificate Distribution

•

Certificate Suspension

•

Certificate Revocation

•

Certificate Renewal

•

Certificate Status Information Processing

_

BuypassAS

_

Nydalsveien 30A. po Box 4364 Nydalen

Tel.: +4723145900

E-mail: [email protected]

_

N-0402 Oslo, Norway

Fax: +4723145901

VAT: NO 983163327

www.buypass.no

Side 3 av 3

CA Environmental Controls •

Certification Practice Statement and Certificate Policy Management

•

Security Management

•

Asset Classification and Management

•

Personnel Security

•

Physical and Environmental Security

•

Operations Management

•

System Access Management

•

Systems Development and Maintenance

•

Business Continuity Management

•

Monitoring and Compliance

•

Event Journaling

Gunnar Lindst01 Administrerende direkt0r / CEO

_

BuypassAS

_

Nydalsveien 30A, po Box 4364 Nydalen

Tel.: +4723145900

E-mail: [email protected]

_

N-0402 Oslo, Norway

Fax: +47 23 14 59 01

VAT : NO 983163327

www.buypass.no

KPMG IT Auditors P.O. Box 43004 3540 AA Utrecht The Netherlands

Rijnzathe 14 3454 PV De Meern The Netherlands Telephone +31 (0)30 658 2150 Fax +31 (0)30 658 2199

Independent Accountants’ Report Utrecht, 22 December 2009

To the Management of Buypass AS: We have examined management’s assertion that Buypass AS (hereafter: Buypass) during the period 1 December 2008 through 30 November 2009 for its Extended Validation Certification Authority (EV-CA) operations at Oslo and Gjøvik, Norway, Buypass has: 

Disclosed its EV Certificate life cycle management practices and procedures, including its commitment to provide EV Certificates in conformity with the CA/Browser Forum Guidelines, and provided such services in accordance with its disclosed practices.



Maintained effective controls to provide reasonable assurance that: -

EV Subscriber information was properly collected, authenticated (for the registration activities performed by Buypass) and verified; and

-

The integrity of keys and EV certificates it manages is established and protected throughout their life cycles;

in accordance with the AICPA/CICA WebTrust for Certification Authorities - Extended Validation Audit Criteria (version 1.1). The management of Buypass is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion based on our examination. Our examination was conducted in accordance with International Assurance Engagement Standards and, accordingly, included: 

Obtaining an understanding of Buypass’ EV certificate life cycle management practices and procedures, including its relevant controls over the issuance, renewal and revocation of EV certificates;



Selectively testing transactions executed in accordance with disclosed EV certificate life cycle management practices;



Testing and evaluating the operating effectiveness of the controls; and



Performing such other procedures as we considered necessary in the circumstances.

2010.KEN.0001b

KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682 and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative.

Independent Accountants’ Report WebTrust for Certification Authorities Extended Validation Utrecht, 22 December 2009

We believe that our examination provides a reasonable basis for our opinion. In our opinion, Buypass’ management’s assertion, as referred to above, is fairly stated, in all material respects, in accordance with the AICPA/CICA WebTrust for Certification Authorities Extended Validation Audit Criteria. The relative effectiveness and significance of specific controls at Buypass and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, or the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls. This report does not include any representation as to the quality of Buypass' services beyond those covered by the AICPA/CICA WebTrust for Certification Authorities - Extended Validation Criteria, or the suitability of any of Buypass' services for any customer's intended purpose. Buypass’ use of the WebTrust for EV Seal constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance.

On behalf of KPMG Advisory N.V. Utrecht, 22 December 2009

J.C. Boer RE RA Partner

2010.KEN.0001b

drs. ing. R.F. Koorn RE CISA Partner

2

O buypass" securing transactions

Assertion of Management as to its Disclosure of its Business Practices and its Controls over its Extended Validation Certification Authority Operations during the period from December 1,2008 through November 30,2009

December 22, 2009 Buypass AS, (hereafter: Buypass), provides Extended Validation Certification Authority (EV-CA) services through its Buypass Class 3 CA (SSL Evident - EV). The practices outlining the processes related to accession, supervision and control are described in the Certificate Practice Statement for Buypass Class 3 (EV) SSL Certificates, version v1.11, October 27, 2009 as is published on the website of Buypass. The management of Buypass is responsible for designing effective controls over its EV-CA operations, including: •

CA Business Practices Disclosure in its Certificate Practice Statement on the website of Buypass,

•

Service integrity, including key and certificate life cycle management controls.

There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls can provide only reasonable assurance with respect to Buypass' EV-CA operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time. The management of Buypass has assessed controls over its EV-CA operations. Based on that assessment, in Management's opinion, in providing EV-CA services at Oslo and Gj0vik, Norway, during the period from December 1, 2008 through November 30, 2009, Buypass has: •

•

Disclosed its EV Certificate life cycle management practices and procedures, including its commitment to provide EV Certificates in conformity with the CAiBrowser Forum Guidelines, and provided such services in accordance with its disclosed practices, and Maintained effective controls to provide reasonable assurance that: - EV Subscriber information was properly collected, authenticated (for the registration activities performed by Buypass) and verified, and - The integrity of keys and EV certificates it manages is established and protected throughout their life cycles, I

based on the AICPAICICA WebTrust for Certification Authorities - Extended Val idation Aud it Criteria (version 1.1), including the following:

_

BuypassAS

_

Nydalsveien 30A, PO Box 4364 Nydalen

Tel. : +4723145900

E-mail: [email protected]

_

N-0402 Oslo, Norway

Fax: +4723145901

VAT: NO 983163327

www.buypass.no

Side 2 av 2

CA Business Practices Disclosure Service Integrity •

EV Certificate Content and Profile

•

EV Certificate Request Requirements

•

Information Verification Requirements

•

Certificate Status Checking and Revocation

•

Employee and Third Party Issues

•

Data and Record Issues

Gunnar Lindst01 Administrerende direkt0r / CEO

_

BuypassAS

_

Nydalsveien 30A, PO Box 4364 Nydalen

Tel.: +47 23 14 5900

E-mail: [email protected]

_

N-0402 Oslo, Norway

Fax: +4723 145901

VAT: NO 983 163 327

www.buypass.no