Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 3: Policy Requirements for Certification Authorities issuing public key certificates (V1.0.0)
"The present document specifies policy requirements relating to Certification Authorities (CAs) issuing public key certificates@ including Extended Validation Certificates (EVCs). It defines policy requirements on the operation and management practices of certification authorities issuing and managing certificates such that subscribers@ subjects certified by the CA and relying parties may have confidence in the applicability of the certificate in support of cryptographic mechanisms. The policy requirements are defined in terms of five reference certificate policies and a framework from which CAs can produce a certificate policy targeted at a particular service. The first reference policy defines a set of requirements for CAs providing a level of quality the same as that offered by qualified certificates@ without being tied to the Electronic Signature Directive (1999/93/EC [i.1]) and without requiring use of a secure user (cryptographic) device. This is labelled the ""Normalized"" Certificate Policy (NCP). It is anticipated that the NCP may be used as the basis for realizing the quality level set by the Qualified Certificate Policy (as defined in EN 319 411-2 [13]) but without the legal constraints of the Electronic Signature Directive (1999/93/EC [i.1]). In addition to the NCP quality level@ the present document specifies four alternative variants of NCP@ the requirements of which may be used where alternative levels of service can be justified through risk analysis. The alternatives are referred to as: ? the Lightweight Certificate Policy (LCP) for use where a risk assessment does not justify the additional costs of meeting the more onerous requirements of the NCP (e.g. physical presence); the extended Normalized Certificate Policy (NCP+) for use where a secure user device is considered necessary; ? the Extended Validation Certificates Policy (EVCP) for use where provisions@ additional to those indicated in NCP@ are required to issue EVCs@ consistently with what is specified in the EV Certificates Guidelines [14] issued by the CAB Forum; ? the enhanced Extended Validation Certificates Policy (EVCP+) for use where@ in addition to the requirements to issue EVCs@ a secure user device is considered necessary. EVCP and EVCP+ are based on NCP and NCP+ respectively@ therefore@ except where explicitly specified@ all the relevant NCP and NCP+ requirements apply in addition to those specifically required for EVC. Certificates issued under these policies requirements may be used in support of any asymmetric mechanisms requiring certification of public keys including electronic and digital signatures@ encryption@ key exchange and key agreement mechanisms. The present document may be used by competent independent bodies as the basis for confirming that a CA provides a reliable service in line with recognized practices. As far as it regards EVC it can be used by: ? Auditors@ operating in a European framework for evaluation of Certification Authorities@ to evaluate whether these Certification Authorities meet the requirements for issuing EV Certificates as Specified in the CAB Forum EV Certificate Guidelines [14]; ? Certification Authorities@ operating under the previous versions of this Technical Specification@ that intend to adapt their policies and practices to issuing EV Certificates; ?Certification Authorities planning to issue EV Certificates within a context that fits European standard practices for CAs. Applications of EV Certificates include SSL web server certificates and certificates for code signing. It is recommended that subscribers and relying parties consult the certificate policy and certification practice statement of the issuing CA to obtain details of the requirements addressed by its certificate policy and how the certificate policy is implemented by the particular CA. The policy requirements relating to the CA include requirements on the provision of services for registration@ certificate generation@ certificate dissemination@ revocation management@ revocation status and if required@ secure subject device provision. Support for other trusted third party functions such as time-stamping and attribute certificates are outside the scope of the present document. In addition@ the present document does not address requirements for Certification Authority certificates@ including certificate hierarchies and cross-certification@ except where explicitly specified in the cases of EVCP and/or EVCP+. Consistently with EVCG [14]@ within the clauses of the present document related to issuing EVCs the keyword ""SHOULD"" has the meaning specified in RFC 2119 [16] that indicates that there may exist valid reasons in particular circumstances to ignore a particular item@ but the full implications need to be understood and carefully weighed before choosing a different course. The present document does not specify how the requirements identified may be assessed by an independent party@ including requirements for information to be made available to such independent assessors@ or requirements on such assessors. NOTE 1: See TS 119 403 [i.2] for guidance on assessment of CA processes and services against the present document. The present document references EN 319 401 [18] for policy general requirements common to all classes of CSP service. NOTE 2: See TR 101 564 [i.4] for guidance on the use of the present document to the CA Browser Forum Guidelines for Extended Validation [14]."