CEN/TC 224
| Project No. | LVS CEN/TS 419261:2015 |
|---|---|
| Title | 1.1 General This Technical Specification establishes security requirements for TWSs that can be used by a TSP in order to issue QCs and Non-Qualified Certificates (NQCs) in accordance with Dir.1999/93/EC. Recommendations for the cryptographic algorithms to be supported by TWSs are provided in ETSI/TS 102 176-1. Security requirements for the Subject Device Provision Service, which includes SCDev/SSCD provision to subjects, are defined in this TS. However, requirements specific to SCDev/SSCD devices, as used by subjects of the TSP, are outside the scope of this TS. These requirements are defined as Common Criteria [CC] Protection Profiles (PP) in the EN 419211 series. Although this TS is based on the use of public key cryptography, it does not require or define any particular communication protocol or format for electronic signatures, certificates, certificate revocation lists, certificate status information and time-stamp tokens. It only assumes certain types of information to be present in the certificates in accordance with Annex I of Dir.1999/93/EC. Interoperability between TSP systems and subject systems is outside the scope of this document. The use of TWSs that are already compliant to relevant security requirements of this TS should support TSPs in reducing their burden to establish conformance of their policy to ETSI EN 319 411-2, ETSI EN 319 411-3, ETSI/TS 102 042, ETSI/TS 102 023 and in meeting the Annex I and Annex II requirements of Dir.1999/93/EC. 1.2 European Directive-specific The main focus of this document is on the requirements in Dir.1999/93/EC, Annex II (f), but in considering this it is important to additionally take into account the following [Dir.1999/93/EC] requirements: a) Annex II (a) - "demonstrate the reliability necessary for providing certification services"; b) Annex II (b) - "ensure the operation of a prompt and secure directory and a secure and immediate revocation service"; c) Annex II (c) - "ensure that the date and time when a certificate is issued or revoked can be determined precisely"; d) Annex II (g) -"take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data"; e) Annex II (i) - "record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically"; f) Annex II (j) - "not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services"; g) Annex II (l) - "use trustworthy systems to store certificates in a verifiable form so that: 1) only authorized persons can make entries and changes, 2) information can be checked for authenticity, 3) certificates are publicly available for retrieval in only those cases for which the subject's consent has been obtained, and 4) any technical changes compromising these security requirements are apparent to the operator"; h) Annex I - requirements on the data in a qualified certificate. |
| Registration number (WIID) | 41395 |
| Scope | 1.1 General This Technical Specification establishes security requirements for TWSs that can be used by a TSP in order to issue QCs and Non-Qualified Certificates (NQCs) in accordance with Dir.1999/93/EC. Recommendations for the cryptographic algorithms to be supported by TWSs are provided in ETSI/TS 102 176-1. Security requirements for the Subject Device Provision Service, which includes SCDev/SSCD provision to subjects, are defined in this TS. However, requirements specific to SCDev/SSCD devices, as used by subjects of the TSP, are outside the scope of this TS. These requirements are defined as Common Criteria [CC] Protection Profiles (PP) in the EN 419211 series. Although this TS is based on the use of public key cryptography, it does not require or define any particular communication protocol or format for electronic signatures, certificates, certificate revocation lists, certificate status information and time-stamp tokens. It only assumes certain types of information to be present in the certificates in accordance with Annex I of Dir.1999/93/EC. Interoperability between TSP systems and subject systems is outside the scope of this document. The use of TWSs that are already compliant to relevant security requirements of this TS should support TSPs in reducing their burden to establish conformance of their policy to ETSI EN 319 411-2, ETSI EN 319 411-3, ETSI/TS 102 042, ETSI/TS 102 023 and in meeting the Annex I and Annex II requirements of Dir.1999/93/EC. 1.2 European Directive-specific The main focus of this document is on the requirements in Dir.1999/93/EC, Annex II (f), but in considering this it is important to additionally take into account the following [Dir.1999/93/EC] requirements: a) Annex II (a) - "demonstrate the reliability necessary for providing certification services"; b) Annex II (b) - "ensure the operation of a prompt and secure directory and a secure and immediate revocation service"; c) Annex II (c) - "ensure that the date and time when a certificate is issued or revoked can be determined precisely"; d) Annex II (g) -"take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data"; e) Annex II (i) - "record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically"; f) Annex II (j) - "not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services"; g) Annex II (l) - "use trustworthy systems to store certificates in a verifiable form so that: 1) only authorized persons can make entries and changes, 2) information can be checked for authenticity, 3) certificates are publicly available for retrieval in only those cases for which the subject's consent has been obtained, and 4) any technical changes compromising these security requirements are apparent to the operator"; h) Annex I - requirements on the data in a qualified certificate. |
| Status | Standarts spēkā |
| ICS group | 35.240.30 35.040 03.120.20 35.030 |