ETSI - TS 102 042
Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates
Organization: | ETSI |
Publication Date: | 1 February 2013 |
Status: | active |
Page Count: | 56 |
scope:
The present document specifies policy requirements relating to Certification Authorities (CAs) issuing public key certificates, including Extended Validation Certificates (EVC) and Publicly trusted TLS/SSL certificates (PTC). It defines policy requirements on the operation and management practices of certification authorities issuing and managing certificates such that subscribers, subjects certified by the CA and relying parties may have confidence in the applicability of the certificate in support of cryptographic mechanisms.
The policy requirements are defined in terms of six reference certificate policies and a framework from which CAs can produce a certificate policy targeted at a particular service.
The first reference policy defines a set of requirements for CAs providing a level of quality the same as that offered by qualified certificates, without being tied to the Electronic Signature Directive (1999/93/EC [i.1]) and without requiring use of a secure user (signing or decrypting) device. This is labelled the "Normalized" Certificate Policy (NCP). It is anticipated that the NCP may be used as the basis for realizing the quality level set by the Qualified Certificate Policy (as defined in TS 101 456 [15]) but without the legal constraints of the Electronic Signature Directive (1999/93/EC [i.1]).
In addition to the NCP quality level, the present document specifies six alternative variants of NCP, the requirements of which may be used where alternative levels of service can be justified through risk analysis. The alternatives are referred to as:
• the Lightweight Certificate Policy (LCP) for use where a risk assessment does not justify the additional costs of meeting the more onerous requirements of the NCP (e.g. physical presence);
• the extended Normalized Certificate Policy (NCP+) for use where a secure user device (signing or decrypting) is considered necessary;
• the Extended Validation Certificates Policy (EVCP) for use with code signing or TLS/SSL where provisions, additional to those indicated in NCP, are required to issue EVCs, consistently with what is specified in the EV Certificates Guidelines [16] issued by the CAB Forum;
• the enhanced Extended Validation Certificates Policy (EVCP+) for use with code signing or TLS/SSL where, in addition to the requirements to issue EVCs, a secure user device (signing or decrypting) is considered necessary;
• the Domain Validation Certificates Policy (DVCP) for use with TLS/SSL where provisions, additional to those indicated in NCP, are required to issue DVCs, consistently with what is specified in the BRG [19] issued by the CAB Forum;
• the Organizational Validation Certificates Policy (OVCP) for use with TLS/SSL where provisions, additional to those indicated in NCP, are required to issue OVCs, consistently with what is specified in the BRG [19] issued by the CAB Forum.
NOTE 1: TLS/SSL is used to denote access to web based services protected using the Transport Layer Security (TLS) protocol [i.4] or earlier equivalent Secure Socket Layer (SSL) protocol.
EVCP and EVCP+ are based on NCP and NCP+ respectively, therefore, except where explicitly specified, all the relevant NCP and NCP+ requirements apply in addition to those specifically required for EVC.
DVCP and OVCP are based on NCP as well, so except where explicitly specified, all the relevant NCP requirements apply in addition to those specifically required for DVC and/or OVC.
Applicability of these certificates is specified by clause 5.3.
The present document may be used by competent independent bodies as the basis for confirming that a CA provides a reliable service in line with recognized practices. As far as it regards to EVC and DVC/OVC it can be used by:
• Auditors, operating in a European framework for evaluation of Certification Authorities, to evaluate whether these Certification Authorities meet the requirements for issuing EVC and/or DVC/OVC as Specified in the CAB Forum EV Certificate Guidelines [16] and/or the BRG [19] respectively.
• Certification Authorities, operating under the previous versions of this Technical Specification, that intend to adapt their policies and practices to issuing EVC and/or DVC/OVC.
• Certification Authorities planning to issue EVC and/or DVC/OVC within a context that fits European standard practices for CAs.
It is recommended that subscribers and relying parties consult the certificate policy and certification practice statement of the issuing CA to obtain details of the requirements addressed by its certificate policy and how the certificate policy is implemented by the particular CA.
The policy requirements relating to the CA include requirements
on the provision of services for registration, certificate
generation, certificate dissemination, revocation management,
revocation status and if required, secure subject device provision.
Support for other trusted third party functions such as
time-stamping and attribute certificates are outside the scope of
the present document. In addition, the present document does not
address requirements for certification authority certificates,
including certificate hierarchies and cross-certification,
Consistently with EVCG [16] and BRG [19], within the clauses of the present document related to issuing certificates the keyword "SHOULD" has the meaning specified in RFC 2119 [18] that indicates that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications are understood and carefully weighed before choosing a different course.
If an implementation of the present document is to be certified conformant through assessment by an independent auditor, annex E states requirements to ensure proper qualification of that auditor.
NOTE 2: See TS 119 403 [i.2] for guidance on assessment of CA processes and services against the present document.