1、 ETSI TR 101 564 V1.1.1 (2011-09) Electronic Signatures and Infrastructures (ESI); Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs Technical Report ETSI ETSI TR 101 564 V1.1.1 (2011-09) 2Reference DTR/ESI-000107 Keywords e-commerce, extended validation
2、certificates, public key, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual c
3、opies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Forma
4、t (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current st
5、atus of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced exc
6、ept as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its
7、Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 101 564 V1.1.1 (2011-09) 3Contents Intellectual Property Rights 5g3Forewor
8、d . 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Overview 7g35 Policies for issuing extended validation certificates 8g35.1 Overview 8g35.2 Identification 8g3
9、5.3 User Community and Applicability 8g35.4 Conformance 8g36 Obligations and liability . 8g36.1 Certification authority obligations 8g36.2 Subscriber obligations 8g36.3 Information for Relying parties 9g36.4 Liability 9g37 Requirements on CA practice . 9g37.1 Certification practice statement 9g37.2
10、Public key infrastructure - Key management life cycle 10g37.2.1 Certification authority key generation 10g37.2.2 Certification authority key storage, backup and recovery . 10g37.2.3 Certification authority public key distribution 10g37.2.4 Key escrow . 11g37.2.5 Certification authority key usage 11g
11、37.2.6 End of CA key life cycle . 11g37.2.7 Life cycle management of cryptographic hardware used to sign certificates . 11g37.2.8 CA provided subject key management services 11g37.2.9 Secure user devices preparation 11g37.3 Public key infrastructure - Certificate Management life cycle . 11g37.3.1 Su
12、bject registration . 11g37.3.2 Certificate renewal, rekey and update . 12g37.3.3 Certificate generation 12g37.3.4 Dissemination of Terms and Conditions . 12g37.3.5 Certificate dissemination 12g37.3.6 Certificate revocation and suspension. 12g37.4 CA management and operation 13g37.4.1 Security manage
13、ment 13g37.4.2 Asset classification and management . 13g37.4.3 Personnel security . 13g37.4.4 Physical and environmental security. 13g37.4.5 Operations management . 13g37.4.6 System Access Management. 13g37.4.7 Trustworthy systems deployment and maintenance . 13g37.4.8 Business continuity management
14、 and incident handling 13g37.4.9 CA termination . 13g37.4.10 Compliance with Legal Requirements 14g3ETSI ETSI TR 101 564 V1.1.1 (2011-09) 47.4.11 Recording of information concerning certificates . 14g37.5 Organizational 14g38 Additional EV Requirements . 14g38.1 Time-stamping . 14g38.2 Code signing
15、Authority 14g3Annex A (informative): Assessment Guidance Checklist . 15g3Annex B (informative): Audit Report Framework . 24g3History 25g3ETSI ETSI TR 101 564 V1.1.1 (2011-09) 5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI.
16、 The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available
17、 from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314
18、 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction ETSI ESI issued the technical specification
19、 TS 102 042 i.1 that specified generic policy requirements for the operation and management practices of certification authorities issuing public key certificates. TS 102 042 i.1 generalises the principles specified in TS 101 456 i.3 to make it generally applicable to certification authorities indep
20、endent of the form of public key certificate. Examples of such certs are those used for securing web sites. The Certification Authority/Browser (CAB) Forum has specified guidelines for the “Issuance and Management of Extended Validation Certificates“ (EVCG i.2) to ensure that the public key certific
21、ates used for securing access to web sites are issued in a secure manner. The EVCG i.2 requires that the general operation of the Certification Authority is secure and indicates that conformance to TS 102 042 i.1 as a means of demonstrating that this requirement is met. The primary purposes of Exten
22、ded Validation Certificates are to: 1) identify the legal entity that controls a Web or service site; and 2) enable encrypted communications with that site; and 3) identify the source of executable code. The Secure Socket layer (SSL)/Transport Layer Security (TLS) protocols makes use of public key c
23、ertificates to secure access to web sites and services. EV Code Signing Certificates are intended to be used to verify the identity of a holder of an EV code signing certificate (Subscriber) and the integrity of its code. No particular object is identified in assuring the software protected by an EV
24、 Code Signing Certificate, only its distributor is identified. The present document provides guidance for assessment of CAs issuing EV Certificates against TS 102 042 i.1 and CAB Forum EVCG i.2. ETSI ETSI TR 101 564 V1.1.1 (2011-09) 61 Scope The present document provides guidance on the assessment o
25、f Certification Authorities issuing Extended Validation Certificates based on TS 102 042 i.1 and the CA Browser Forum Guidelines for Extended Validation, EVCG i.2. The document is aimed at providing guidance to Certification Authorities issuing EV certificates to be aware of how they may be assessed
26、 and auditors in carrying out assessment of the conformance of such certification authorities to Extended Validation, such as SSL, code signing and other applications, and TS 102 042 i.1. NOTE: Text copied from TS 102 042 i.1 is italicised. Annex A provides a checklist that may be used by auditors i
27、n carrying out an audit based on these guidelines. Annex B provides a suggested framework for the final audit report. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited versi
28、on applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included
29、in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references The following referenced documents a
30、re not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TS 102 042: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates“. i.2 Guidelines fo
31、r The Issuance and Management of Extended Validation Certificates, CA Browser Forum. NOTE: TS 102 042 i.1 and EVCG i.2 are main references, all other references are as called up by these two documents. i.3 ETSI TS 101 456: “Electronic Signatures and Infrastructures (ESI); Policy requirements for cer
32、tification authorities issuing qualified certificates“. i.4 ETSI TS 102 176-1: “Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms“. i.5 IETF RFC 3647: “Internet X.509 Public Key Infrastructure
33、 - Certificate Policy and Certification Practices Framework“. i.6 ETSI TS 102 023: “Electronic Signatures and Infrastructures (ESI); Policy requirements for time-stamping authorities“. ETSI ETSI TR 101 564 V1.1.1 (2011-09) 7i.7 ISO/IEC 27001: “Information technology - Security techniques - Informati
34、on security management systems - Requirements“. i.8 ISO/IEC 27002: “Information technology - Security techniques - Code of practice for information security management“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in TS 10
35、2 042 i.1 and EVCG i.2 apply. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: CA Certification Authority CAB Certification Authority/Browser CM Cryptographic Module CP Certificate Policy CPS Certification Practice Statement CRL Certificate Revocation Li
36、st CSP Certification Service Provider EV Extended Validation EVC Extended Validation Certificate EVCG Extended Validation Certificate Guidelines EVCP Extended Validation Certificate Policy EVCP+ Enhanced Extended Validation Certificate Policy IS Information Security ISO International Organization fo
37、r Standardization NCP Normalized Certificate Policy NCP+ Extended Normalized Certificate Policy NOTE: Within the context of the present document CSP is used synonymously with Certification Authority (CA). OCSP Online Certificate Status Protocol OID Object Identifier PKI Public Key Infrastructure SSL
38、 Secure Sockets LayerTLS Transport Layer Security TSA Time Stamping Authority 4 Overview The present document is intended to be used by Auditors as a guidance to assess the compliance of a CSP/CA with TS 102 042 i.1 and for CSPs to clarify the requirements to be met. Auditors should ascertain, for e
39、ach of the present document clauses, that provisions in the corresponding TS 102 042 i.1 or EVCG i.2 clauses are complied with by the CSP. In each of the following clauses, additional provisions may be specified that Auditors should implement. ETSI ETSI TR 101 564 V1.1.1 (2011-09) 85 Policies for is
40、suing extended validation certificates 5.1 Overview The TS 102 042 i.1 policies relevant to use of EVC are: 4) An Extended Validation Certificate Policy (EVCP) that includes, except where explicitly indicated, all the Normalized Certificate Policy (NCP), as indicated in TS 102 042 i.1 requirements,
41、plus additional provisions suited to support EVC issue, usage and maintenance as specified in EVCG i.2. 5) An enhanced Extended Validation Certificate Policy (EVCP+) that includes, except where explicitly indicated, all the extended Normalized Certificate Policy (NCP+), as indicated in TS 102 042 i.
42、1 requirements, enhanced with additional provisions suited to support EVC issue, usage and maintenance as specified in EVCG i.2 when the EVCs owner must operate make use of a secure device. Auditors should check for available policy documentation (e.g. CP or CPS) and ensure that this is in line with
43、 the EVCP or ECVP+ requirements. Auditors should verify the EV cert OID. 5.2 Identification A CA is required to include the identifier(s) for the certificate policy (or policies) being supported in the terms and conditions made available to subscribers and relying parties to indicate its claim of co
44、nformance. The OIDs used may include the OIDs specified in TS 102 042 i.1, clause 5.2 items d) and e). Auditors should check that the certificate either identifies the EVC policies or a certificate policy that incorporates the requirements of the EVC policies according to section 8.2 of EVCG i.2. 5.
45、3 User Community and Applicability The policy requirements are applicable to Extended Validation Certificates as specified in section 6.1 EVCG i.2. Auditors should check that the primary purpose of the certificate, as stated in the certificate policy, relates to that in section 6.1 of the EVCG i.2.
46、5.4 Conformance NOTE: Requirements and guidance relating to conformity assessment is to be addressed in a separate document. 6 Obligations and liability 6.1 Certification authority obligations Auditors should verify that the CP included in the certificate covers the requirements EVCP or EVCP+. Audit
47、ors should verify the CPS, the subscriber agreements and the third party contracts to check its obligations according to clause 6.1 of TS 102 042 i.1 and section 6.2 and 12.2 of EVCG i.2. 6.2 Subscriber obligations Auditors should verify the subscriber agreements in order to check that the obligatio
48、ns indicated in clause 6.2 a), b), c), d), h) and i) of TS 102 042 i.1 are addressed. In case of code signing refer to Appendix G item 7 and Appendix H item 12 of EVCG i.2. ETSI ETSI TR 101 564 V1.1.1 (2011-09) 9 Procedures to verify in case of a compromise of the key Auditors should verify the proc
49、edures to discontinue the usage of the certificate upon information of a CA compromise as indicated in clause 6.2 j) of TS 102 042 i.1. Auditors should take account of the requirements in: TS 102 042 i.1, clauses 7.3.1 item m) and 7.3.4. EVCG i.2, sections 9.3.2 and 9.3.3. For revocation procedures, clause 7.3.6 of TS 102 042 i.1. In relation to algorithm and key sizes (item d), Appendix A of EVCG i.2 and TS 102 176-1 i.4 applies. In case of conflict, Appendix A of EVCG i.2
