ETSI - TS 102 042
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
Organization: | ETSI |
Publication Date: | 1 April 2010 |
Status: | inactive |
Page Count: | 53 |
scope:
The present document specifies policy requirements relating to Certification Authorities (CAs) issuing public key certificates, including Extended Validation Certificates (EVC). It defines policy requirements on the operation and management practices of certification authorities issuing and managing certificates such that subscribers, subjects certified by the CA and relying parties may have confidence in the applicability of the certificate in support of cryptographic mechanisms.
The policy requirements are defined in terms of five reference certificate policies and a framework from which CAs can produce a certificate policy targeted at a particular service.
The first reference policy defines a set of requirements for CAs providing a level of quality the same as that offered by qualified certificates, without being tied to the Electronic Signature Directive (1999/93/EC [i.1]) and without requiring use of a secure user (signing or decrypting) device. This is labelled the "Normalized" Certificate Policy (NCP). It is anticipated that the NCP may be used as the basis for realizing the quality level set by the Qualified Certificate Policy (as defined in TS 101 456 [15]) but without the legal constraints of the Electronic Signature Directive (1999/93/EC [i.1]).
In addition to the NCP quality level, the present document specifies four alternative variants of NCP, the requirements of which may be used where alternative levels of service can be justified through risk analysis. The alternatives are referred to as:
• the Lightweight Certificate Policy (LCP) for use where a risk assessment does not justify the additional costs of meeting the more onerous requirements of the NCP (e.g. physical presence);
• the extended Normalized Certificate Policy (NCP+) for use where a secure user device (signing or decrypting) is considered necessary;
• the Extended Validation Certificates Policy (EVCP) for use where provisions, additional to those indicated in NCP, are required to issue EVCs, consistently with what is specified in the EV Certificates Guidelines [16] issued by the CAB Forum;
• the enhanced Extended Validation Certificates Policy (EVCP+) for use where, in addition to the requirements to issue EVCs, a secure user device (signing or decrypting) is considered necessary.
EVCP and EVCP+ are based on NCP and NCP+ respectively, therefore, except where explicitly specified, all the relevant NCP and NCP+ requirements apply in addition to those specifically required for EVC.
Certificates issued under these policies requirements may be used in support of any asymmetric mechanisms requiring certification of public keys including electronic and digital signatures, encryption, key exchange and key agreement mechanisms.
The present document may be used by competent independent bodies as the basis for confirming that a CA provides a reliable service in line with recognized practices. As far as it regards EVC it can be used by:
• Auditors, operating in a European framework for evaluation of Certification Authorities, to evaluate whether these Certification Authorities meet the requirements for issuing EV Certificates as Specified in the CAB Forum EV Certificate Guidelines [16];
• Certification Authorities, operating under the previous versions of this Technical Specification, that intend to adapt their policies and practices to issuing EV Certificates;
• Certification Authorities planning to issue EV Certificates within a context that fits European standard practices for CAs.
It is recommended that subscribers and relying parties consult the certificate policy and certification practice statement of the issuing CA to obtain details of the requirements addressed by its certificate policy and how the certificate policy is implemented by the particular CA.
The policy requirements relating to the CA include requirements
on the provision of services for registration, certificate
generation, certificate dissemination, revocation management,
revocation status and if required, secure subject device provision.
Support for other trusted third party functions such as
time-stamping and attribute certificates are outside the scope of
the present document. In addition, the present document does not
address requirements for certification authority certificates,
including certificate hierarchies and cross-certification,
Consistently with EVCG [16], within the clauses of the present document related to issuing EVCs the keyword "SHOULD" has the meaning specified in RFC 2119 [18] that indicates that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
If an implementation of the present document is to be certified conformant through assessment by an independent auditor, annex E states requirements to ensure proper qualification of that auditor.
NOTE: See CEN Workshop Agreement 14172-2 [i.2] for guidance on assessment of CA processes and services against the present document.
Document History










