scope:

The present document specifies policy requirements relating to Trust Service Providers (TSP) issuing public key certificates. It defines policy requirements on the operation and management practices of certification authorities issuing and managing certificates such that subscribers, subjects certified by the TSP and relying parties may have confidence in the applicability of the certificate in support of cryptographic mechanisms. The policy requirements are defined in terms of three reference certificate policies and a framework from which TSPs can produce a certificate policy targeted at a particular service. The first reference policy defines a set of requirements for TSPs providing a level of quality the same as that offered by qualified certificates, without being tied to the Electronic Signature Directive (1999/93/EC [i.1]) and without requiring use of a secure user (cryptographic) device. This is labelled the "Normalized" Certificate Policy (NCP). It is anticipated that the NCP may be used as the basis for realizing the quality level set by the Qualified Certificate Policy (as defined in EN 319 411-2 [i.5]) but without the legal constraints of the Electronic Signature Directive (1999/93/EC [i.1]). In addition to the NCP quality level, the present document specifies two alternative variants of NCP, the requirements of which may be used where alternative levels of service can be justified through risk analysis. The alternatives are referred to as: • the Lightweight Certificate Policy (LCP) for use where a risk assessment does not justify the additional costs of meeting the more onerous requirements of the NCP (e.g. physical presence); • the extended Normalized Certificate Policy (NCP+) for use where a secure user device is considered necessary.