scope:

This document establishes security requirements for TWSs and technical components that can be used by a CSP in order to issue QCs and NQCs in accordance with [Dir.1999/93/EC]. Although [Dir.1999/93/EC] has a very general approach and speaks of electronic signatures of any kind, the underlying assumption in this document is that electronic signatures are created by means of public keycryptography, that the subject uses a cryptographic key pair consisting of a private and public component, and that a certificate produced by a system considered in this document essentially binds the public key of the subject to the identity and possibly other information of the subject by means of an electronic signature which is created with the private key (certificate signing key) of the issuing CSP. Other forms of electronic signatures are outside the scope of this document. With reference to electronic signatures, [Dir.1999/93/EC] provides two levels of signature, one a standard Electronic Signature and the other an Advanced Electronic Signature. Within this CWA, these are used in conjunction with NQCs and QCs respectively. This CWA provides security requirements for both these levels where the security requirements for TWSs issuing QCs are higher than for those just issuing NQCs. Security requirements for TWSs also include a minimum set of requirements to be fulfilled by the signature algorithms and their parameters allowed for use by CSPs. These requirements are provided in [ALGO]. Security requirements for the optional Subject Device Provision Service, which provides SCDev/SSCD provision to Subjects are included within the scope of this CWA. However, requirements for the actual SSCD devices themselves, as used by Subjects of the CSP, are outside the scope of this document. Security requirements for SSCDs are provided in the separate document Secure Signature Creation Devices [CENSSCD]. Although this specification is based on the use of public key cryptography, it does not require or define any particular communication protocol or format for electronic signatures, certificates, certificate revocation lists, certificate status information and time stamp tokens. It only assumes certain types of information to be present in the certificates in accordance with Annex I of [Dir.1999/93/EC]. Interoperability between CSP systems and subject systems is outside the scope of this document. This document is also applicable for bodies established in Member States for voluntary accreditation of CSPs, as outlined in [Dir.1999/93/EC]. Use of TWSs conformant to QC requirements in this CWA indicates that the technology used by the CSP is capable of fulfilling Annex I and Annex II requirements of [Dir.1999/93/EC]. Details of how compliance with this CWA is reached are specified in section 6. By using TWSs that are compliant with this CWA, CSPs may reduce their auditing burden by leveraging these assessed components and only auditing the operating aspects of the TWSs.