ETSI TR 102 458-2006 Electronic Signatures and Infrastructures (ESI) Mapping Comparison Matrix between the US Federal Bridge CA Certificate Policy and the European Qualified Certif_1.pdf

1、 ETSI TR 102 458 V1.1.1 (2006-04)Technical Report Electronic Signatures and Infrastructures (ESI); Mapping Comparison Matrix between the US Federal Bridge CA Certificate Policy and the European Qualified Certificate Policy (TS 101 456) ETSI ETSI TR 102 458 V1.1.1 (2006-04) 2 Reference DTR/ESI-000033

2、 Keywords authentication, e-commerce, electronic signature, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 780

3、3/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference vers

4、ion is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of sta

5、tus. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notifica

6、tion No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2006. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for

7、 the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 458 V1.1.1 (2006-04) 3 Conten

8、ts Intellectual Property Rights4 Foreword.4 Introduction 4 1 Scope 5 2 References 5 3 Definitions and abbreviations.6 3.1 Definitions6 3.2 Abbreviations .6 4 PKI SUMMARIES.7 4.1 QCP 7 4.2 FBCA CP7 5 Mapping the FBCA CP to the QCP7 5.1 Rating .7 5.2 Summary Assessment.8 5.2.1 Overview 8 5.2.2 Points

9、of Note .10 5.3 Detailed Assessment.10 Annex A: Memo from chair, U.S. Federal PKI Policy Authority56 History 57 ETSI ETSI TR 102 458 V1.1.1 (2006-04) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertain

10、ing to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretari

11、at. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the

12、 updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction In Europe ETSI has specified a framework certificat

13、e policy for Certification Authorities issuing “Qualified Certificates“ 1, commonly referred to as the Qualified Certificate Policy (QCP), which fulfils the requirements of the European Directive on Electronic Signatures 1999/93/EC 1. This provides a unifying framework for Certification Authorities

14、operating in Europe. In the United States of America the Federal Bridge Certification Authority (FBCA) has been established as the unifying element to link autonomous Certification Authorities (CAs) into a systematic overall Public Key Infrastructure (PKI). A Certificate Policy has been published fo

15、r the FBCA specifying requirements for CAs interoperating with the Federal Bridge CA. The FBCA, with the support of ETSI TC ESI, finalized in early year 2004 a map from the requirements specified in the QCP (TS 101 456 2 V1.2.1) to the FBCA Certificate Policy (version 1). The result of this effort w

16、as that the Federal Bridge Certification Authority assessed the requirements in TS 101 456 QCP public as “COMPARABLE“ to those required to achieve the above mentioned Medium level of assurance. This will greatly facilitate Certification Authorities, conformant with the QCP, that intend to collaborat

17、e with CAs abiding by the above FBCA CP with medium level of assurance, to achieve recognition of conformity by FBCA. Since this work was completed new versions of the FBCA Certificate Policy and the ETSI QCP have been issued. In order to facilitate achieving the opposite recognition, that a CA conf

18、ormant with the FBCA Certificate Policy requirement is also conformant with the Qualified Certificate Policy, ETSI implemented the opposite mapping that is presented in the present document. The present document is based on the latest releases of the FBCA Certificate Policy and the ETSI Qualified Ce

19、rtificate Policy. The existing QCP to FBCA Certificate Policy mapping document is also being updated by the FBCA using the latest releases of the two policy documents. ETSI ETSI TR 102 458 V1.1.1 (2006-04) 5 1 Scope The present document compares the United States“ The Federal Bridge Certification Au

20、thority (FBCA) Certificate Policy 3, and the European Qualified Certificate Policy (QCP) as specified in TS 101 456 2 in order to identify to what extent which stipulations FBCA CP match those of QCP. This comparison concentrates on requirements at the medium level of assurance as identified in the

21、FBCA Certificate Policy 3 including the option for “medium hardware“ (equivalent to SSCD) and “medium - Commercial Best Practices“. The present document gives the current results of the comparison following discussions with FPKI experts up to November 2005. Further consideration on some areas is sti

22、ll ongoing and this mapping is subject to further revision. The present document is an opposite of the earlier mapping specified by the US Federal PKI mapping from the QCP into the requirements of the FBCA CP. The purpose of the present document is to facilitate a CA abiding by the QCP to ascertain

23、if QCP requirements, to which it complies, are met by another CA abiding by FBCA CP and therefore to assess if a cross certification can be enacted. It is to be kept in mind that this second CA has to be assessed as compliant by the Federal Bridge Certification Authority. The present document is str

24、uctured as follows: 1) BRIEF ASSESSMENT, which provides for each clause of the QCP a one-word assessment of the similarity of the applicable FBCA CP sections, using a set of well-defined evaluation terms, and identifies any points that should specially noted when applying this map to specific CA pol

25、icies; 2) DETAILED ASSESSMENT, which details the BRIEF ASSESSMENT by breaking down all the relevant requirements in the QCP, grouped by clause, and by listing for each QCP clause the relevant FBCA CP sections and requirements that match to some degree to the corresponding QCP requirements clause; th

26、e same one-word assessment used in the BRIEF ASSESSMENT is complemented, where necessary, with explanatory comments. As a result of this comparison, requirements are identified in the FBCA CP that are of particular note and should be especially considered when applying this map to specific CA polici

27、es. 2 References For the purposes of this Technical Report (TR) the following references apply: 1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 2 ETSI TS 101 456: “Electronic Signatures and Infrastructures (

28、ESI); Policy requirements for certification authorities issuing qualified certificates“. 3 X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA CP) - Version 2, September 13, 2005. NOTE: This version of the FBCA Certificate Policy replaces earlier version 1 dated September 1

29、0, 2002. 4 ETSI Federal PKI CPWG Mapping Comparison Matrix Between the Federal Bridge Certification Authority (v1) and the European Qualified Certificate Policy (QCP) ETSI TS 101 456 V1.2.1 For Medium Assurance Level Cross Certification. NOTE: This document is in the process of being revised to use

30、the current versions of the FBCA Certificate Policy and the QCP.j. 5 Template for use by the U.S. Federal PKI Policy Authority for Cross-Certifying with U.S. Federal Agencies and other U.S. Federal Entities, with U.S. State and Local Governments and U.S. Private Sector Entities, and with Governments

31、 of other Nations - Memorandum of Agreement. 6 US Government Public Key Infrastructure - Cross Certification Criteria and Methodology Version 1.2 June 2005. ETSI ETSI TR 102 458 V1.1.1 (2006-04) 6 7 ITU-T Recommendation X.509: “Information technology - Open Systems Interconnection - The Directory: P

32、ublic-key and attribute certificate frameworks“. 8 IETF RFC 3647: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply:

33、certificate policy (CP): named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements (see ITU-T Recommendation X.509 7) Entity CA: CA that acts on behalf of an Entity, and is under the operational contro

34、l of an Entity (FBCA CP) qualified certificate: certificate which meets the requirements laid down in annex I (of the Directive 1) and is provided by a certification-service-provider who fulfils the requirements laid down in annex II (of the Directive 1) Qualified Certificate Policy: QCP public + SS

35、CD: a certificate policy for qualified certificates issued to the public, requiring use of secure signature-creation devices, as defined in TS 101 456 2 subject: entity identified in a certificate as the holder of the private key associated with the public key given in the certificate Subscriber: (1

36、) - the entity whose name appears as the subject in a certificate, who asserts that it uses its key and certificate in accordance with the certificate policy asserted in the certificate, and who does not itself issue certificates. (FBCA CP 3) Subscriber: (2) - entity subscribing with a Certification

37、 Authority on behalf of one or more subjects (TS 101 456 2 Policy requirements for certification authorities issuing qualified certificates) NOTE 1: The subject may be a subscriber acting on its own behalf. NOTE 2: QCP and FBCA CP assign different meanings to “subscriber“. The FBCA CP “subscriber“ i

38、s not clearly differentiated from the term “subject“ whereas the QCP clearly distinguishes the two concepts. The Directive: Directive 1999/93/EC 1 of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures 3.2 Abbreviations For the purposes o

39、f the present document, the following abbreviations apply: CA Certification Authority CP Certificate Policy FBCA Federal Bridge Certification Authority IETF Internet Engineering Task Force MoA Memorandum of Agreement OID Object IDentifier PKI Public Key Infrastructure QCP Qualified Certificate Polic

40、y ETSI ETSI TR 102 458 V1.1.1 (2006-04) 7 4 PKI SUMMARIES 4.1 QCP The QCP is a certificate policy framework for Qualified Certificates issued to the public in compliance with the requirements laid down in annexes I and II of the European Directive on Electronic Signatures 1999/93/EC 1. Qualified cer

41、tificates issued under this policy may be used to support electronic signatures which “satisfy the requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper based data“, as specified in article

42、5.1 of the Electronic Signatures Directive. It should be noted that the adoption of this policy is not mandatory and that alternative policies could be prepared so as to be conformant with the referenced Directive 1, although a considerably greater investment of time and resource would be required t

43、o do so. It is also worth noting that several Directive compliant CAs have already adopted QCP as of the moment of publication of the present document. 4.2 FBCA CP Quoted from 3: “This Certificate Policy (CP) defines seven certificate policies for use by the Federal Bridge Certification Authority (F

44、BCA) to facilitate interoperability between the FBCA and other Entity PKI domains. The policies represent five different assurance levels (Rudimentary, Basic, Medium, Medium Hardware, and High) for public key certificates. The level of assurance refers to the strength of the binding between the publ

45、ic key and the individual whose subject name is cited in the certificate, the mechanisms used to control the use of the private key, and the security provided by the PKI itself. The FBCA enables interoperability among Entity PKI domains in a peer-to-peer fashion. The FBCA issues certificates only to

46、 those CAs designated by the Entity operating that PKI (called “Principal CAs“). The FBCA may also issue certificates to individuals who operate the FBCA. The FBCA certificates issued to Principal CAs act as a conduit of trust. Any use of or reference to this FBCA CP outside the purview of the Feder

47、al PKI Policy Authority is completely at the using partys risk. An Entity shall not assert the FBCA CP OIDs in any certificates the Entity CA issues, except in the policyMappings extension establishing an equivalency between an FBCA OID and an OID in the Entity CAs CP. This FBCA CP is consistent wit

48、h the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) RFC 3647 8, Certificate Policy and Certification Practices Framework. The terms and provisions of this FBCA CP shall be interpreted under and governed by applicable Federal law.“ 5 Mapping the FBCA CP to the QCP

49、 The mapping detailed in the following clause is built by associating to the requirements of FBCA CP to those of the QCP, as stipulated in its clauses 5, 6 and 7. 5.1 Rating For an easier comparison the present document adopts the same seven comparative evaluation terms and definitions that were used in the opposite mapping produced by the FBCA 4. These are: a) Exceeds: The FBCA CP provides a higher level of assurance/security than the QCP requirement. b) Equivalent: The FBCA CP provides exactly the same assurance/security as