Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD / SCDev (V1.1.1)
The present document specifies generally applicable policy and security requirements for Trust Service Providers (TSP) implementing a service component operating a remote signature creation device (SCDev). Specific requirements apply when the device is a QSCD as defined in Regulation (EU) No 910/2014 [i.1]. The service component consists of a signing application and a QSCD / SCDev. The term used in the present document is server signing application service component (SSASC). The policy and security requirements are defined in terms of requirements for creation@ maintenance@ life-cycle management and use of signing keys used to create digital signatures. The present document gives no restrictions on the type of TSP implementing such a component. The present document is aimed to be used by independent bodies as the basis for a conformity assessment that a TSP can be trusted for operating a remote QSCD / SCDev. The present document supports European and other regulatory frameworks. NOTE 1: Specifically@ but not exclusively@ the present document is aimed at qualified and non-qualified trust service providers@ providing the creation of digital signatures supporting electronic signatures and electronic seals (both advanced and qualified) in accordance with the requirements of Regulation (EU) No 910/2014 [i.1]. Annex A contains requirements that are specific for an SSASC in the context of Regulation (EU) No 910/2014 [i.1]. The present document does neither specify how fulfilment of the requirements can be assessed by an independent conformity assessment body@ nor requirements for information to be made available to such independent assessors@ or requirements on such assessors. NOTE 2: See ETSI EN 319 403 [i.3] for guidance on assessment of a TSP's processes and services. NOTE 3: The present document references ETSI EN 319 401 [1] for general policy requirements common to all TSP services covered by ETSI standards. The present document does not specify protocols used to access the SSASC. NOTE 4: Protocols for remote digital signature creation are defined in ETSI TS 119 432 [i.4]. The present document identifies specific controls needed to address risks associated with services operating remote QSCD / SCDev.