Commission Decision of 16 October 2009 setting out measures facilitating the use of procedures by electronic means through the ‘points of single contact’ under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (notified under document C(2009) 7806) (Text with EEA relevance) (2009/767/EC)

[X12. Guidelines for editing entries in the TL U.K.

2.1. A TL focusing on supervised/accredited certification services U.K.

Relevant Certification Services and Certification Service Providers in a single List U.K.

The Trusted List of a Member State is defined as the ‘ Supervision/Accreditation Status List of certification services from Certification Service Providers who are supervised/accredited by the referenced Member State for compliance with the relevant provisions of Directive 1999/93/EC ’ .

Such a Trusted List must cover:

• all Certification Service Providers , as defined in Article 2.11 of Directive 1999/93/EC, i.e. ‘entity or a legal or natural person who issues certificates or provides other services related to electronic signatures’;

• that are supervised/accredited for compliance with the relevant provisions laid down in Directive 1999/93/EC.

When considering the definitions and provisions laid down in Directive 1999/93/EC, in particular with regard to the relevant CSPs and their supervision/voluntary accreditation systems, two sets of CSPs can be distinguished, namely the CSPs issuing QCs to the public (CSP _QC ), and the CSPs not issuing QCs to the public but providing ‘other (ancillary) services related to electronic signatures’:

• CSPs issuing QCs:

  • They must be supervised by the Member State in which they are established (if they are established in a Member State) and may also be accredited for compliance with the provisions laid down in Directive 1999/93/EC, including with the requirements of Annex I (requirements for QCs), and those of Annex II (requirements for CSPs issuing QCs). CSPs issuing QCs that are accredited in a Member State must still fall under the appropriate supervision system of that Member State unless they are not established in that Member State.

  • The applicable ‘ supervision ’ system (respectively ‘ voluntary accreditation ’ system) is defined and must meet the relevant requirements of Directive 1999/93/EC, in particular those laid down in Art. 3,3, Art. 8,1, Art. 11, recital (13) (respectively, Art.2.13, Art. 3,2, Art 7.1(a), Art. 8,1, Art. 11, recitals (4)-(11-13)).

• CSPs not issuing QCs:

  • They may fall under a ‘ voluntary accreditation ’ system (as defined in and in compliance with Directive 1999/93/EC) and/or under a nationally defined ‘ recognised approval scheme ’ implemented on a national basis for the supervision of compliance with the provisions laid down in the Directive and possibly with national provisions with regard to the provision of certification services (in the sense of Art. 2,11 of the Directive).

  • Some of the physical or binary (logical) objects generated or issued as a result of the provision of a certification service may be entitled to a specific ‘ qualification ’ on the basis of their compliance with the provisions and requirements laid down at national level, but the meaning of such a ‘ qualification ’ is likely to be limited solely to the national level.

The Trusted List of a Member State must provide a minimum of information on supervised/accredited CSPs issuing Qualified Certificates to the public in accordance with the provisions laid down in Directive 1999/93/EC (Art. 3,3, 3,2 and Art. 7.1(a)), information on the QC supporting the electronic signature and whether the signature is or not created by a Secure Signature Creation Device.

Additional information on other supervised/accredited services from CSPs not issuing QCs to the public (e.g. CSPs providing Time Stamping Services and issuing Time Stamp Tokens, CSPs issuing non-Qualified certificates, etc.) may be included in the Trusted List at national level on a voluntary basis.

The Trusted List aims at:

• listing and providing reliable information on the supervision/accreditation status of certification services from Certification Service Providers, who are supervised/accredited by the Member State responsible for establishing and maintaining the List for compliance with the relevant provisions laid down in Directive 1999/93/EC;

• facilitating the validation of electronic signatures supported by the listed supervised/accredited certification services from the listed CSPs.

A single set of Supervision/Accreditation status values U.K.

One single TL must be established and maintained per Member State to indicate the supervision and/or accreditation status of those certification services from those CSPs that are supervised/accredited by the Member State.

The fact that a service is currently either supervised or accredited is part of its current status. In addition to that, a supervision or accreditation status can be ‘ongoing’, ‘in cessation’, ‘ceased’, or even ‘revoked’. Throughout its lifetime, the same certification service may move from a supervision status to an accreditation status and vice versa (1) .

The following Figure 1 describes the expected flow, for one single certification service, between possible supervision/accreditation statuses:

Expected supervision/accreditation status flow for a single CSP service U.K.

A certification service issuing QCs must be supervised (if it is established in a Member State) and may be voluntarily accredited. The status value of such a service when listed in a Trusted List can have any of the above depicted status values as ‘current status value’. However, it should be noted that ‘Accreditation ceased’ and ‘Accreditation revoked’ must both be ‘transit status’ values only in the case of CSP _QC services established in a Member State, as such services must be supervised by default (even when not or no longer accredited).

It is required that Member States establishing or having established a nationally defined ‘ recognised approval scheme(s) ’ implemented on a national basis for the supervision of compliance of services from CSPs not issuing QCs with the provisions laid down in Directive 1999/93/EC and with possible national provisions with regard to the provision of certification services (in the sense of Art. 2,11 of the Directive) will categorise such approval scheme(s) under the following two categories:

• ‘ voluntary accreditation ’ as defined and regulated in Directive 1999/93/EC (Art.2.13, Art. 3,2, Art 7.1(a), Art. 8,1, Art. 11, recitals (4)-(11-13));

• ‘ supervision ’ as required in Directive 1999/93/EC and implemented by national provisions and requirements in accordance with national laws.

Accordingly, a certification service not issuing QCs may be supervised or voluntarily accredited. The status value of such a service when listed in a Trusted List can have any of the above depicted status values as its ‘ current status value ’ (see Figure 1).

The Trusted List must contain information about the underlying supervision/accreditation scheme(s), in particular:

• Information on the supervision system applicable to any CSP _QC ;

• Information, when applicable, on the national ‘voluntary accreditation’ scheme applicable to any CSP _QC ;

• Information, when applicable, on the supervision system applicable to any CSP not issuing QCs;

• Information, when applicable, on the national ‘ voluntary accreditation ’ scheme applicable to any CSP not issuing QCs.

The last two sets of information are of critical importance for relying parties to assess the quality and security level of such supervision/accreditation systems applied at national level to CSPs not issuing QCs. When supervision/accreditation status information is provided in the TL with regard to services from CSPs not issuing QCs, the aforementioned sets of information shall be provided at TL level through the use of ‘ Scheme information URI ’ (clause 5.3.7 – information being provided by Member States), ‘ Scheme type/community/rules ’ (clause 5.3.9 – through the use of a text common to all Member States, and optional specific information provided by a Member State) and ‘ TSL policy/legal notice ’ (clause 5.3.11 – a text common to all Member States referring to Directive 1999/93/EC, together with the ability for each Member State to add Member State specific text/references). Additional ‘ qualification ’ information defined at the level of national supervision/accreditation systems for CSPs not issuing QCs may be provided at the service level when applicable and required (e.g. to distinguish between several quality/security levels) through the use of ‘ additionalServiceInformation ’ extension (clause 5.8.2) as part of ‘ Service information extension ’ (clause 5.5.9). Further information on the corresponding technical specifications is provided in the detailed specifications in Chapter I.

Despite the fact that separate bodies of a Member State may be in charge of the supervision and accreditation of certification services in that Member State, it is expected that only one entry shall be used for one single certification service (identified by its ‘Service digital identity’ as per ETSI TS 102 231 (2) and that its supervision/accreditation status will be updated accordingly. The meaning of the above depicted statuses is described in the related clause 5.5.4 of the detailed technical specifications in Chapter I.

2.2. TL entries aiming at facilitating the validation of QES and AdES _QC U.K.

The most critical part of the creation of the TL is the establishment of the mandatory part of the TL, namely the ‘List of services’ per CSP issuing QCs, in order to correctly reflect the exact issuing situation of each such QC-issuing certification service and to ensure that the information provided in each entry is sufficient to facilitate the validation of QES and AdES _QC (when combined with the content of the end-entity QC issued by the CSP under the certification service listed in this entry).

Insofar as there is no truly interoperable and cross-border profile for the QC, the required information might include other information than the ‘Service digital identity’ of a single (Root) CA, in particular information identifying the QC status of the issued certificate, and whether or not the supported signatures are created by an SSCD. The Body in a Member State that is designated to establish, edit and maintain the TL (i.e. the Scheme operator as per ETSI TS 102 231) must therefore take into account the current profile and certificate content in each issued QC, per CSP _QC covered by the TL.

Ideally each issued QC should include the ETSI defined QcCompliance (3) statement when it is claimed that it is a QC and should include the ETSI defined QcSSCD statement when it is claimed that it is supported by an SSCD to generate eSignatures, and/or that each issued QC includes one of the QCP/QCP + certificate policy Object Identifiers (OIDs) defined in ETSI TS 101 456 (4) . The use by CSPs issuing QCs of different standards as references, the wide degree of interpretation of those standards as well as the lack of awareness of the existence and precedence of some normative technical specifications or standards has resulted in differences in the actual content of currently issued QCs (e.g. the use or not of those QcStatements defined by ETSI) and consequently are preventing the receiving parties from simply relying on the signatory’s certificate (and associated chain/path) to assess, at least in a machine readable way, whether or not the certificate supporting an eSignature is claimed to be a QC and whether or not it is associated with an SSCD through which the eSignature has been created.

Completing the ‘Service type identifier’ (Sti), ‘Service name’ (Sn), and ‘Service digital identity’ (Sdi) (5) fields with information provided in the ‘Service information extensions’ (Sie) field allows the proposed TL common template to fully determine a specific type of qualified certificate issued by a listed CSP certification service issuing QCs and to provide information about the fact that it is supported by an SSCD or not (when such information is missing in the issued QC). A specific ‘Service current status’ (Scs) information is of course associated to this entry. This is depicted in Figure 2 below.

Listing a service by just providing the ‘ Sdi ’ of a (Root) CA would mean that it is ensured (by the CSP issuing QCs but also by the Supervisory/Accreditation Body in charge of the supervision/accreditation of this CSP) that any end-entity certificate issued under this (Root) CA (hierarchy) contains enough ETSI defined and machine-processable information to assess whether or not it is a QC, and whether it is supported by an SSCD. In the event, for example, that the latter assertion is not true (e.g. there is no ETSI standardised machine-processable indication in the QC about whether it is supported by an SSCD), then by listing only the ‘ Sdi ’ of that (Root) CA, it can only be assumed that QCs issued under this (Root) CA hierarchy are not supported by any SSCD. In order to consider those QCs as supported by an SSCD, the ‘ Sie ’ should be used to indicate this fact (this also indicates that it is guaranteed by the CSP issuing QCs and supervised/accredited by the Supervisory or Accreditation Body respectively).

General principles — Editing rules — CSP _QC entries (listed services) U.K.

The present TL common template technical specifications allow using a combination of five main parts of information in the service entry:

• The ‘ Service type identifier ’ (Sti), e.g. identifying a CA issuing QCs (CA/QC),

• The ‘ Service name ’ (Sn),

• The ‘ Service digital identity ’ (Sdi) information identifying a listed service, e.g. the X.509v3 certificate (as a minimum) of a CA issuing QCs,

• For CA/QC services, optional ‘ Service information extensions ’ (Sie) information that shall allow inclusion of a sequence of one or more tuples, each tuple providing:

  • Criteria to be used to further identify (filter) under the ‘ Sdi ’ identified certification service that precise service (i.e. set of qualified certificates) for which additional information is required/provided with regard to the indication of the SSCD support (and/or issuance to a Legal Person); and

  • The associated information (qualifiers) on whether this further identified service set of qualified certificates is supported by an SSCD or not or whether this associated information is part of the QC under a standardised machine-processable form, and/or information regarding the fact that such QCs are issued to Legal Persons (by default they are to be considered as issued only to Natural Persons);

• The ‘ current status ’ information for this service entry providing information on:

  • Whether it is a supervised or accredited service, and

  • The supervision/accreditation status itself.

2.3. Editing and usage guidelines for CSP _QC services entries U.K.

The general editing guidelines are:

As a general default principle, for a listed CSP in the Trusted List there must be one service entry per single X.509v3 certificate for a CA/QC type certification service, i.e. a Certification Authority (directly) issuing QCs. In some carefully envisaged circumstances and carefully managed conditions, a Member State Supervisory Body/Accreditation Body may decide to use the X.509v3 certificate of a Root or Upper level CA (i.e. a Certification Authority not directly issuing end-entity QCs but certifying a hierarchy of CAs down to CAs issuing QCs to end-entities) as the Sdi of a single entry in the list of services from a listed CSP. The consequences (advantages and disadvantages) of using such X.509v3 Root CA or Upper CA as Sdi values of TL services entries must be carefully considered and endorsed by Member States. Moreover, when using this authorized exception to the default principle, Member State must provide the necessary documentation to facilitate certification path building and verification.

In order to illustrate the general editing guidelines, the following example can be given: In the context of a CSP _QC using one Root CA under which several CAs are issuing QCs and non-QCs, but for which the QCs do contain only the QcCompliance statement and no indication of whether it is supported by an SSCD, listing the Root CA ‘Sdi’ only would mean, under the rules explained above, that any QC issued under this Root CA hierarchy is NOT supported by an SSCD. If those QCs are actually supported by an SSCD, it would be strongly recommended to make use of the QcSSCD statement in the QCs issued in the future. In the meantime (until the last QC not containing this information has expired), the TSL should make use of the Sie field and associated Qualifications extension, e.g. filtering certificates through specific CSP _QC defined OID(s) potentially used by the CSP _QC to distinguish between different types of QCs (some supported by an SSCD and some not) and including explicit ‘SSCD support information’ with regards to those filtered certificates through the use of ‘Qualifiers’.

The general usage guidelines for electronic signature applications, services or products relying on a TSL implementation of a Trusted List according to the present Technical Specifications are as follows:

A ‘ CA/QC ’ ‘ Sti ’ entry (similarly a CA/QC entry further qualified as being a RootCA/QC through the use of ‘ Sie ’ additionalServiceInformation extension)

• indicates that from the ‘Sdi’ identified CA (similarly within the CA hierarchy starting from the ‘Sdi’ identified RootCA), all issued end-entity certificates are QCs provided that it is claimed as such in the certificate through the use of appropriate QcStatements (i.e. QcC, QcSSCD) and/or ETSI defined QCP(+) OIDs (and this is ensured by Supervisory/Accreditation Body, see above ‘general editing guidelines’)

  Note: if no ‘Sie’‘Qualification information’ is present or if an end-entity certificate that is claimed to be a QC is not ‘further identified’ through a related ‘Sie’ entry, then the ‘machine-processable’ information to be found in the QC is supervised/accredited to be accurate. That means that the usage (or not) of the appropriate QcStatements (i.e. QcC, QcSSCD) and/or ETSI defined QCP(+) OIDs is ensured to be in accordance with what it is claimed by the CSP _QC . U.K.

• and IF ‘Sie’‘Qualification’ information is present, then in addition to the above default usage interpretation rule, those certificates that are identified through the use of this ‘Sie’‘Qualification’ entry, which is constructed on the principle of a sequence of ‘filters’ further identifying a set of certificates and providing some additional information regarding ‘SSCD support’ and/or ‘Legal person as subject’ (e.g. those certificates containing a specific OID in the Certificate Policy extension, and/or having a specific ‘Key usage’ pattern, and/or filtered through the use of a specific value to appear in one specific certificate field or extension, etc.), are to be considered according to the following set of ‘qualifiers’, compensating for the lack of information in the corresponding QC, i.e.:

• to indicate the SSCD support:

  • ‘ QCWithSSCD ’ qualifier value meaning ‘ QC supported by an SSCD ’ , or

  • ‘ QCNoSSCD ’ qualifier value meaning ‘ QC not supported by an SSCD ’ , or

  • ‘ QCSSCDStatusAsInCert ’ qualifier value meaning that the SSCD support information is ensured to be contained in any QC under the ‘ Sdi ’ - ‘ Sie ’ provided information in this CA/QC entry;

  AND/OR

• to indicate issuance to Legal Person:

  • ‘ QCForLegalPerson ’ qualifier value meaning ‘ Certificate issued to a Legal Person ’ .

2.4. Services supporting ‘ CA/QC ’ services but not part of the ‘ CA/QC ’ ‘ Sdi ’ U.K.

The cases where the CRLs and OCSP responses are signed by keys other than from a CA issuing QCs ( ‘ CA/QC ’ ) should also be covered. This may be covered by listing those services as such in the TSL implementation of the TL (i.e. with a ‘ Service type identifier ’ further qualified by an ‘ additionalServiceInformation ’ extension reflecting an OCSP or a CRL service as being part of the provision of QCs, e.g. with a service type of ‘ OCSP/QC ’ or ‘ CRL/QC ’ respectively) since these services can be considered as part of the supervised/accredited ‘ qualified ’ services related to the provision of QC certification services. Of course, OCSP responders or CRL Issuers whose certificates are signed by CAs under the hierarchy of a listed CA/QC service are to be considered as ‘ valid ’ and in accordance with the status value of the listed CA/QC service.

A similar provision can apply to certification services issuing non-qualified certificates (of a ‘ CA/PKC ’ service type) using the default ETSI TS 102 231 OCSP and CRL service types.

Note that the TSL implementation of the TL MUST include revocation services when related information is not present in the AIA field of end certificates, or when not signed by a CA that is one of the listed CAs.

2.5. Moving towards interoperable QC profile U.K.

As a general rule, it must be tried to simplify (reduce) as far as possible the number of entries of services (different ‘ Sdi ’ ’s). This must be balanced however with the correct identification of those services that are related to the issuing of QCs and the provision of the trusted information on whether or not those QCs are supported by an SSCD when this information is missing from the issued QC.

Ideally the use of the ‘ Sie ’ field and ‘ Qualification ’ extension should be (strictly) restricted to those specific cases to be solved that way, as QCs should contain enough information with regard to the claimed qualified status and the claimed support or not by an SSCD.

Member States should, as much as possible, enforce the adoption and use of interoperable QC profiles.]