Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates (V1.0.0)
"The present document specifies policy requirements relating to Certification Authorities (CAs) issuing qualified certificates (termed certification service providers issuing qualified certificates in the Directive 1999/93/EC [i.1]). It defines policy requirements on the operation and management practices of certification authorities issuing qualified certificates such that subscribers@ subjects certified by the CA and relying parties may have confidence in the applicability of the certificate in support of electronic signatures. The policy requirements are defined in terms of: a) the specification of two closely related qualified certificate policies for qualified certificates issued to the public@ one requiring the use of a secure-signature-creation device; b) a framework for the definition of other qualified certificate policies enhancing the above policies or for qualified certificates issued to non-public user groups. The specific policy requirements relating to the CA include requirements on the provision of services for registration@ certificate generation@ certificate dissemination@ revocation management@ revocation status and@ if required@ signature-creation device provision. Other certification service provider functions such as time-stamping@ attribute certificates and confidentiality support are outside the scope of the present document. In addition@ the present document does not address requirements for certification authority certificates@ including certificate hierarchies and cross-certification. The policy requirements are limited to requirements for the certification of keys used for electronic signatures. These policy requirements are specifically aimed at qualified certificates issued to the public@ and used in support of qualified electronic signatures (i.e. electronic signatures that are legally equivalent to hand-written signatures in line with article 5.1 of the Directive 1999/93/EC [i.1]). It specifically addresses the requirements for CAs issuing qualified certificates in accordance with annexes I and II of the Directive 1999/93/EC [i.1]. Requirements for the use of securesignature- creation devices as specified in annex III@ which is also a requirement for electronic signatures in line with article 5.1@ is an optional element of the policy requirements specified in the present document. Certificates issued under these policy requirements may be used to authenticate a person who acts on his own behalf or on behalf of the natural person@ legal person or entity he represents. These policy requirements are based around the use of public key cryptography to support electronic signatures. The present document may be used by competent independent bodies as the basis for confirming that a CA meets the requirements for issuing qualified certificates. It is recommended that subscribers and relying parties consult the certification practice statement of the issuing CA to obtain further details of precisely how a given certificate policy is implemented by the particular CA. The present document does not specify how the requirements identified may be assessed by an independent party@ including requirements for information to be made available to such independent assessors@ or requirements on such assessors. NOTE: See TS 119 403 ""Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - General requirements and guidance"" [i.2]. The present document references EN 319 401 [20] for generic policy requirements common to all classes of TSP service."