Commission Decision of 16 October 2009 setting out measures facilitating the use of procedures by electronic means through the ‘points of single contact’ under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (notified under document C(2009) 7806) (Text with EEA relevance) (2009/767/EC)

[X1 [F14. Definitions and abbreviations U.K.

For the purposes of the present document, the following definitions and acronyms apply:

Within the following chapters, the key words ‘ MUST ’ , ‘ MUST NOT ’ , ‘ REQUIRED ’ , ‘ SHALL ’ , ‘ SHALL NOT ’ , ‘ SHOULD ’ , ‘ SHOULD NOT ’ , ‘ RECOMMENDED ’ , ‘ MAY ’ , and ‘ OPTIONAL ’ are to be interpreted as described in RFC 2119 (1) .

CHAPTER I U.K. DETAILED SPECIFICATIONS FOR THE COMMON TEMPLATE FOR THE ‘ TRUSTED LIST OF SUPERVISED/ACCREDITED CERTIFICATION SERVICE PROVIDERS ’

The present specifications are relying on the specifications and requirements stated in ETSI TS 119 612 v1.1.1 (here after referred to as ETSI TS 119 612).

When no specific requirement is stated in the present specifications, requirements from ETSI TS 119 612 clauses 5 and 6 SHALL apply entirely. When specific requirements are stated in the present specifications, they SHALL prevail over the corresponding requirements from ETSI TS 119 612. In case of discrepancies between the present specifications and specifications from ETSI TS 119 612, the present specifications SHALL be the normative ones.

Scheme operator name (clause 5.3.4) U.K.

This field SHALL be present and SHALL comply with the specifications from TS 119 612 clause 5.3.4.

A country MAY have separate Supervisory and Accreditation Bodies and even additional bodies for whatever operational related activities. It is up to each Member State to designate the Scheme operator of the Member State Trusted List. It is expected that the Supervisory Body, the Accreditation Body and the Scheme Operator (when they appear to be separate bodies) will each of them have their own responsibility and liability.

Any situation in which several bodies are responsible for supervision, accreditation or operational aspects SHALL be consistently reflected and identified as such in the Scheme information as part of the Trusted List, including in the scheme-specific information indicated by the ‘ Scheme information URI ’ (clause 5.3.7).

Scheme name (clause 5.3.6) U.K.

This field SHALL be present and SHALL comply with the specifications from TS 119 612 clause 5.3.6 where the following name SHALL be used for the scheme:

Scheme information URI (clause 5.3.7) U.K.

This field SHALL be present and SHALL comply with the specifications from TS 119 612 clause 5.3.7 where the ‘ appropriate information about the scheme ’ SHALL include as a minimum:

• Introductory information common to all Member States with regard to the scope and context of the Trusted List, and the underlying supervision/accreditation scheme(s). The common text to be used is the text below, in which the character string ‘ [ name of the relevant Member State ] ’ SHALL be replaced by the name of the relevant Member State:

  ‘The present list is the ‘ Trusted List of supervised/accredited Certification Service Providers ’ providing information about the supervision/accreditation status of certification services from Certification Service Providers (CSPs) who are supervised/accredited by [ name of the relevant Member State ] for compliance with the relevant provisions of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.

  The Trusted List aims at:

  • listing and providing reliable information on the supervision/accreditation status of certification services from Certification Service Providers, who are supervised/accredited by [ name of the relevant Member State ] for compliance with the relevant provisions laid down in Directive 1999/93/EC,

  • allowing for a trusted validation of electronic signatures supported by those listed supervised/accredited certification services from the listed CSPs.

  The Trusted List of a Member State provides, as a minimum, information on supervised/accredited CSPs issuing Qualified Certificates in accordance with the provisions laid down in Directive 1999/93/EC (Article 3(2) and (3) and Article 7(1)(a)), including, when this is not part of the QCs, information on the QC supporting the electronic signature and whether the signature is or not created by a Secure Signature Creation Device.

  The CSPs issuing Qualified Certificates (QCs) listed here are supervised by [ name of the relevant Member State ] and may also be accredited for compliance with the provisions laid down in Directive 1999/93/EC, including compliance with the requirements of Annex I (requirements for QCs), and those of Annex II (requirements for CSPs issuing QCs). The applicable ‘ supervision ’ system (respectively ‘ voluntary accreditation ’ system) is defined and must meet the relevant requirements of Directive 1999/93/EC, in particular those laid down in Article 3(3), Article 8(1), Article 11 (respectively, Article 2(13), Article 3(2), Article 7(1)(a), Article 8(1), Article 11).

  Additional information on other supervised/accredited CSPs not issuing QCs but providing services related to electronic signatures (e.g. CSP providing Time Stamping Services and issuing Time Stamp Tokens, CSP issuing non-Qualified certificates, etc.) are included in the Trusted List at a national level on a voluntary basis.’

• Specific information on the underlying supervision/accreditation scheme(s), in particular (2) :

  • Information on the supervision system applicable to any CSP _QC ,

  • Information, when applicable, on the national voluntary accreditation scheme applicable to any CSP _QC ,

  • Information, when applicable, on the supervision system applicable to any CSP not issuing QCs,

  • Information, when applicable, on the national voluntary accreditation scheme applicable to any CSP not issuing QCs.

  This specific information SHALL include, at least, for each underlying scheme listed above:

  • General description,

  • Information about the process followed by the Supervisory/Accreditation Body to supervise/accredit CSPs and by the CSPs for being supervised/accredited,

  • Information about the criteria against which CSPs are supervised/accredited.

• Specific information, when applicable, on the specific ‘ qualifications ’ some of the physical or binary (logical) objects generated or issued as a result of the provision of a certification service may be entitled to receive on the basis of their compliance with the provisions and requirements laid down at national level including the meaning of such a ‘ qualification ’ and the associated national provisions and requirements.

Additional Member State specific information about the scheme MAY be provided on a voluntary basis such as:

• Information about the criteria and rules used to select supervisors/auditors and defining how CSPs are supervised (controlled)/accredited (audited) by them,

• Other contact and general information that applies to the scheme operation.

Scheme type/community/rules (clause 5.3.9) U.K.

This field SHALL be present and SHALL comply with the specifications from TS 119 612 clause 5.3.9 and SHALL include at least two URIs:

• A URI common to all Member States’ Trusted Lists pointing towards a descriptive text that SHALL be applicable to all Trusted Lists, as follows:

  URI: http://uri.etsi.org/TrstSvc/TrustedList/schemerules/EUcommon

  Descriptive text:

  ‘Participation in a scheme U.K.

  Each Member State must create a ‘ Trusted List of supervised/accredited Certification Service Providers ’ providing information about the supervision/accreditation status of certification services from Certification Service Providers (CSPs) who are supervised/accredited by the relevant Member State for compliance with the relevant provisions of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.

  The present implementation of such Trusted Lists is also to be referred to in the list of links (pointers) towards each Member State’s Trusted List, compiled by the European Commission.

  Policy/rules for the assessment of the listed services

  The Trusted List of a Member State must provide, as a minimum, information on supervised/accredited CSPs issuing Qualified Certificates in accordance with the provisions laid down in Directive 1999/93/EC (Article 3(2) and (3) and Article 7(1)(a)), including information on the Qualified Certificate (QC) supporting the electronic signature and whether the signature is or not created by a Secure Signature Creation Device.

  The CSPs issuing Qualified Certificates (QCs) must be supervised by the Member State in which they are established (if they are established in a Member State), and may also be accredited, for compliance with the provisions laid down in Directive 1999/93/EC, including compliance with the requirements of Annex I (requirements for QCs), and those of Annex II (requirements for CSPs issuing QCs). CSPs issuing QCs that are accredited in a Member State must still fall under the appropriate supervision system of that Member State unless they are not established in that Member State. The applicable ‘ supervision ’ system (respectively ‘ voluntary accreditation ’ system) is defined and must meet the relevant requirements of Directive 1999/93/EC, in particular those laid down in Article 3(3), Article 8)(1), Article 11 (respectively, Article 2(13), Article 3(2), Article 7(1)(a), Article 8(1), Article 11).

  Additional information on other supervised/accredited CSPs not issuing QCs but providing services related to electronic signatures (e.g. CSP providing Time Stamping Services and issuing Time Stamp Tokens, CSP issuing non-Qualified certificates, etc.) may be included in the Trusted List at a national level on a voluntary basis.

  CSPs not issuing QCs but providing ancillary services, may fall under a ‘ voluntary accreditation ’ system (as defined in and in compliance with Directive 1999/93/EC) and/or under a nationally defined ‘ recognised approval scheme ’ implemented on a national basis for the supervision of compliance with the provisions laid down in Directive 1999/93/EC and possibly with national provisions with regard to the provision of certification services (in the sense of Article 2(11) of Directive 1999/93/EC). Some of the physical or binary (logical) objects generated or issued as a result of the provision of a certification service may be entitled to receive a specific ‘ qualification ’ on the basis of their compliance with the provisions and requirements laid down at national level but the meaning of such a ‘ qualification ’ is likely to be limited solely to the national level.

  Interpretation of the Trusted List

  The general user guidelines for electronic signature applications, services or products relying on a Trusted List according to the Annex of Commission Decision [reference to the present Decision] are as follows:

  A ‘ CA/QC ’ ‘ Service type identifier ’ ( ‘ Sti ’ ) entry (similarly a CA/QC entry further qualified as being a ‘ RootCA/QC ’ through the use of ‘ Service information extension ’ ( ‘ Sie ’ ) additionalServiceInformation Extension)

  • indicates that from the ‘ Service digital identifier ’ ( ‘ Sdi ’ ) identified CA (similarly within the CA hierarchy starting from the ‘ Sdi ’ identified RootCA) from the corresponding CSP (see associated TSP information fields), all issued end-entity certificates are Qualified Certificates (QCs) provided that it is claimed as such in the certificate through the use of appropriate EN 319 412-5 defined QcStatements (i.e. QcCompliance, QcSSCD, etc.) and/or EN 319 411-2 defined QCP(+) OIDs (and this is guaranteed by the issuing CSP and ensured by the Member State Supervisory/Accreditation Body)

    Note : if no ‘ Sie ’‘ Qualifications Extension ’ information is present or if an end-entity certificate that is claimed to be a QC is not further identified through a related ‘ Sie ’‘ Qualifications Extension ’ information, then the ‘ machine-processable ’ information to be found in the QC is supervised/accredited to be accurate. That means that the usage (or not) of the appropriate ETSI defined QcStatements (i.e. QcCompliance, QcSSCD, etc.) and/or ETSI defined QCP(+) OIDs is ensured to be in accordance with what it is claimed by the CSP issuing QCs.

  • and IF ‘ Sie ’‘ Qualifications Extension ’ information is present, then in addition to the above default usage interpretation rule, those certificates that are identified through the use of this ‘ Sie ’‘ Qualifications Extension ’ information, which is constructed on the principle of a sequence of filters further identifying a set of certificates, must be considered according to the associated qualifiers providing some additional information regarding the qualified status, the ‘ SSCD support ’ and/or ‘ Legal person as subject ’ (e.g. those certificates containing a specific OID in the Certificate Policy extension, and/or having a specific ‘ Key usage ’ pattern, and/or filtered through the use of a specific value to appear in one specific certificate field or extension, etc.). Those qualifiers are part of the following set of ‘ Qualifiers ’ used to compensate for the lack of information in the corresponding QC content, and that are used respectively:

    • to indicate the qualified status: ‘ QCStatement ’ meaning the identified certificate(s) is(are) qualified,

      AND/OR

    • to indicate the nature of the SSCD support:

      • ‘ QCWithSSCD ’ qualifier value meaning ‘ QC supported by an SSCD ’ , or

      • ‘ QCNoSSCD ’ qualifier value meaning ‘ QC not supported by an SSCD ’ , or

      • ‘ QCSSCDStatusAsInCert ’ qualifier value meaning that the SSCD support information is ensured to be contained in any QC under the ‘ Sdi ’ - ‘ Sie ’ provided information in this CA/QC entry,

      AND/OR

    • to indicate issuance to Legal Person:

      • ‘ QCForLegalPerson ’ qualifier value meaning ‘ Certificate issued to a Legal Person ’ .

    The general interpretation rule for any other ‘ Sti ’ type entry is that the listed service named according to the ‘ Sn ’ field value and uniquely identified by the ‘ Sdi ’ field value has a current supervision/accreditation status according to the ‘ Scs ’ field value as from the date indicated in the ‘ Current status starting date and time ’ . Specific interpretation rules for any additional information with regard to a listed service (e.g. ‘ Service information extensions ’ field) may be found, when applicable, in the Member State specific URI as part of the present ‘ Scheme type/community/rules ’ field.

    Please refer to the Technical specifications for a Common Template for the ‘ Trusted List of supervised/accredited Certification Service Providers ’ in the Annex of Commission Decision 2009/767/EC for further details on the fields, description and meaning for the Member States’ Trusted Lists.’

• A URI specific to each Member State’s Trusted List pointing towards a descriptive text that SHALL be applicable to this Member State TL:

  http://uri.etsi.org/TrstSvc/TrustedList/schemerules/CC where CC = the ISO 3166-1 (3) alpha-2 Country Code used in the ‘ Scheme territory ’ field (clause 5.3.10)

  • Where users can obtain the referenced Member State’s specific policy/rules against which services included in the list SHALL be assessed in compliance with the Member State’s appropriate supervision system and voluntary accreditation schemes.

  • Where users can obtain a referenced Member State’s specific description about how to use and interpret the content of the Trusted List with regard to the certification services not related to the issuing of QCs. This may be used to indicate a potential granularity in the national supervision/accreditation systems related to CSPs not issuing QCs and how the ‘ Scheme service definition URI ’ (clause 5.5.6) and the ‘ Service information extension ’ field (clause 5.5.9) are used for this purpose.

Member States MAY define and use additional URIs from the above Member State specific URI (i.e. URIs defined from this hierarchical specific URI).

TSL policy/legal notice (clause 5.3.11) U.K.

This field SHALL be present and SHALL comply with the specifications from TS 119 612 clause 5.3.11 where the policy/legal notice concerning the legal status of the scheme or legal requirements met by the scheme under the jurisdiction in which it is established and/or any constraints and conditions under which the trusted list is maintained and published SHALL be a multilingual character string (plain text) made of two parts:

CHAPTER II U.K. CONTINUITY OF TRUSTED LISTS

Certificates to be notified to the Commission under Article 3(c) of the present Decision SHALL be issued in such a way that they:

• have as a minimum three months between their validity dates,

• are created on new key pairs as no previously used key pair are to be re-certified.

In case of a compromise or decommissioning of ONE of the private keys corresponding to the public key that could be used to validate the trusted list’s signature and that has been notified to the Commission and is published in the Commission’s central lists of pointers, Member States SHALL:

• re-issue, without any delay, a new trusted list signed with a non-compromised private key in case the published trusted list was signed with a compromised or decommissioned private key,

• promptly notify to the Commission the new list of public key certificates corresponding to the private keys that could be used to sign the trusted list.

In case of compromise or decommissioning of ALL the private keys corresponding to the public keys that could be used to validate the trusted list’s signature and that have been notified to the Commission and are published in the Commission’s central lists of pointers, Member States SHALL:

• generate new key pairs that could be used to sign the trusted list and their corresponding public key certificates,

• re-issue, without any delay, a new trusted list signed with one of those new private keys and whose corresponding public key certificate is to be notified,

• promptly notify to the Commission the new list of public key certificates corresponding to the private keys that could be used to sign the trusted list.

CHAPTER III U.K. SPECIFICATIONS FOR THE HUMAN READABLE FORM OF THE TRUSTED LIST

If a human readable form of the trusted list is established and published, it SHOULD be provided in the form of a Portable Document Format (PDF) document according to ISO 32000 (4) that MUST be formatted according to the profile PDF/A (ISO 19005 (5) ).

The content of the PDF/A based human readable form of the trusted list SHOULD comply with the following requirements:

• The structure of the HR form SHOULD reflect the logical model described in TS 119 612,

• Every present field SHOULD be displayed and provide:

  • The title of the field (e.g. ‘ Service type identifier ’ ),

  • The value of the field (e.g. ‘ CA/QC ’ ),

  • The meaning (description) of the value of the field, when applicable (e.g. ‘ A Certification authority issuing public key certificates. ’ ),

  • Multiple natural languages versions as provided in the Trusted List, when applicable.

• The following fields and corresponding values of the digital certificates present in the ‘ Service digital identity ’ field SHOULD, as a minimum, be displayed in the HR form:

  • Version

  • Serial number

  • Signature algorithm

  • Issuer

  • Valid from

  • Valid to

  • Subject

  • Public key

  • Certificate Policies

  • Subject Key Identifier

  • CRL Distribution Points

  • Authority Key Identifier

  • Key Usage

  • Basic constraints

  • Thumbprint algorithm

  • Thumbprint

• The HR form SHOULD be easily printable

• The HR form MUST be signed by the Scheme Operator according to PAdES Signatures baseline profile (6) .] ]