scope:

The present document specifies policy requirements relating to Trust Service Providers (TSP) issuing public key certificates. It defines policy requirements on the operation and management practices of certification authorities issuing and managing certificates such that subscribers, subjects certified by the TSP and relying parties may have confidence in the applicability of the certificate in support of cryptographic mechanisms.

The policy requirements are defined in terms of three reference certificate policies and a framework from which TSPs can produce a certificate policy targeted at a particular service.

The first reference policy defines a set of requirements for TSPs providing a level of quality the same as that offered by qualified certificates, without being tied to the Electronic Signature Directive (1999/93/EC [i.1]) and without requiring use of a secure user (cryptographic) device. This is labelled the "Normalized" Certificate Policy (NCP). It is anticipated that the NCP may be used as the basis for realizing the quality level set by the Qualified Certificate Policy (as defined in EN 319 411-2 [i.5]) but without the legal constraints of the Electronic Signature Directive (1999/93/EC [i.1]).

In addition to the NCP quality level, the present document specifies two alternative variants of NCP, the requirements of which may be used where alternative levels of service can be justified through risk analysis. The alternatives are referred to as:

• the Lightweight Certificate Policy (LCP) for use where a risk assessment does not justify the additional costs of meeting the more onerous requirements of the NCP (e.g. physical presence);

• the extended Normalized Certificate Policy (NCP+) for use where a secure user device is considered necessary.

Certificates issued under these policies requirements may be used in support of any asymmetric mechanisms requiring certification of public keys including electronic and digital signatures, encryption, key exchange and key agreement mechanisms.

The present document may be used by competent independent bodies as the basis for confirming that a CA provides a reliable service in line with recognized practices.

Subscribers and relying parties should consult the certificate policy and certification practice statement of the issuing TSP to obtain details of the requirements addressed by its certificate policy and how the certificate policy is implemented by the particular TSP.

The policy requirements relating to the TSP include requirements on the provision of services for registration, certificate generation, certificate dissemination, revocation management, revocation status and if required, secure subject device provision. Support for other trusted third party functions such as time-stamping and attribute certificates are outside the scope of the present document. In addition, the present document does not address requirements for Certification Authority certificates, including certificate hierarchies and cross-certification.

The present document does not specify how the requirements identified may be assessed by an independent party, including requirements for information to be made available to such independent assessors, or requirements on such assessors.

NOTE: See TS 119 403 [i.2] for guidance on assessment of TSP processes and services against the present document. The present document references EN 319 401 [10] for policy general requirements common to all classes of TSP service.