UNLIMITED FREE ACCESS TO THE WORLD'S BEST IDEAS

SUBMIT
Already an Engineering360 user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your Engineering360 Experience

Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

ETSI - TS 102 042

Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates

active, Most Current
Organization: ETSI
Publication Date: 1 February 2013
Status: active
Page Count: 56
scope:

The present document specifies policy requirements relating to Certification Authorities (CAs) issuing public key certificates, including Extended Validation Certificates (EVC) and Publicly trusted TLS/SSL certificates (PTC). It defines policy requirements on the operation and management practices of certification authorities issuing and managing certificates such that subscribers, subjects certified by the CA and relying parties may have confidence in the applicability of the certificate in support of cryptographic mechanisms.

The policy requirements are defined in terms of six reference certificate policies and a framework from which CAs can produce a certificate policy targeted at a particular service.

The first reference policy defines a set of requirements for CAs providing a level of quality the same as that offered by qualified certificates, without being tied to the Electronic Signature Directive (1999/93/EC [i.1]) and without requiring use of a secure user (signing or decrypting) device. This is labelled the "Normalized" Certificate Policy (NCP). It is anticipated that the NCP may be used as the basis for realizing the quality level set by the Qualified Certificate Policy (as defined in TS 101 456 [15]) but without the legal constraints of the Electronic Signature Directive (1999/93/EC [i.1]).

In addition to the NCP quality level, the present document specifies six alternative variants of NCP, the requirements of which may be used where alternative levels of service can be justified through risk analysis. The alternatives are referred to as:

• the Lightweight Certificate Policy (LCP) for use where a risk assessment does not justify the additional costs of meeting the more onerous requirements of the NCP (e.g. physical presence);

• the extended Normalized Certificate Policy (NCP+) for use where a secure user device (signing or decrypting) is considered necessary;

• the Extended Validation Certificates Policy (EVCP) for use with code signing or TLS/SSL where provisions, additional to those indicated in NCP, are required to issue EVCs, consistently with what is specified in the EV Certificates Guidelines [16] issued by the CAB Forum;

• the enhanced Extended Validation Certificates Policy (EVCP+) for use with code signing or TLS/SSL where, in addition to the requirements to issue EVCs, a secure user device (signing or decrypting) is considered necessary;

• the Domain Validation Certificates Policy (DVCP) for use with TLS/SSL where provisions, additional to those indicated in NCP, are required to issue DVCs, consistently with what is specified in the BRG [19] issued by the CAB Forum;

• the Organizational Validation Certificates Policy (OVCP) for use with TLS/SSL where provisions, additional to those indicated in NCP, are required to issue OVCs, consistently with what is specified in the BRG [19] issued by the CAB Forum.

NOTE 1: TLS/SSL is used to denote access to web based services protected using the Transport Layer Security (TLS) protocol [i.4] or earlier equivalent Secure Socket Layer (SSL) protocol.

EVCP and EVCP+ are based on NCP and NCP+ respectively, therefore, except where explicitly specified, all the relevant NCP and NCP+ requirements apply in addition to those specifically required for EVC.

DVCP and OVCP are based on NCP as well, so except where explicitly specified, all the relevant NCP requirements apply in addition to those specifically required for DVC and/or OVC.

Applicability of these certificates is specified by clause 5.3.

The present document may be used by competent independent bodies as the basis for confirming that a CA provides a reliable service in line with recognized practices. As far as it regards to EVC and DVC/OVC it can be used by:

• Auditors, operating in a European framework for evaluation of Certification Authorities, to evaluate whether these Certification Authorities meet the requirements for issuing EVC and/or DVC/OVC as Specified in the CAB Forum EV Certificate Guidelines [16] and/or the BRG [19] respectively.

• Certification Authorities, operating under the previous versions of this Technical Specification, that intend to adapt their policies and practices to issuing EVC and/or DVC/OVC.

• Certification Authorities planning to issue EVC and/or DVC/OVC within a context that fits European standard practices for CAs.

It is recommended that subscribers and relying parties consult the certificate policy and certification practice statement of the issuing CA to obtain details of the requirements addressed by its certificate policy and how the certificate policy is implemented by the particular CA.

The policy requirements relating to the CA include requirements on the provision of services for registration, certificate generation, certificate dissemination, revocation management, revocation status and if required, secure subject device provision. Support for other trusted third party functions such as time-stamping and attribute certificates are outside the scope of the present document. In addition, the present document does not address requirements for certification authority certificates, including certificate hierarchies and cross-certification, except where explicitly specified in the cases of EVCP and/or EVCP+ and DVCP/OVCP.

Consistently with EVCG [16] and BRG [19], within the clauses of the present document related to issuing certificates the keyword "SHOULD" has the meaning specified in RFC 2119 [18] that indicates that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications are understood and carefully weighed before choosing a different course.

If an implementation of the present document is to be certified conformant through assessment by an independent auditor, annex E states requirements to ensure proper qualification of that auditor.

NOTE 2: See TS 119 403 [i.2] for guidance on assessment of CA processes and services against the present document.

Document History

TS 102 042
February 1, 2013
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
The present document specifies policy requirements relating to Certification Authorities (CAs) issuing public key certificates, including Extended Validation Certificates (EVC) and Publicly trusted...
November 1, 2012
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
The present document specifies policy requirements relating to Certification Authorities (CAs) issuing public key certificates, including Extended Validation Certificates (EVC) and Publicly trusted...
December 1, 2011
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
The present document specifies policy requirements relating to Certification Authorities (Cas) issuing public key certificates, including Extended Validation Certificates (EVC). It defines policy...
April 1, 2010
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
The present document specifies policy requirements relating to Certification Authorities (CAs) issuing public key certificates, including Extended Validation Certificates (EVC). It defines policy...
May 1, 2009
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
A description is not available for this item.
December 1, 2007
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
A description is not available for this item.
March 1, 2007
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
A description is not available for this item.
December 1, 2006
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
A description is not available for this item.
June 1, 2005
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
A description is not available for this item.
May 1, 2005
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
A description is not available for this item.
April 1, 2002
Policy Requirements for Certification Authorities Issuing Public Key Certificates
A description is not available for this item.

References

Advertisement