1、 ETSI TS 103 090 V1.1.1 (2012-04) Electronic Signatures and Infrastructures (ESI); Conformity Assessment for Trust Service Providers issuing Extended Validation Certificates Technical Specification ETSI ETSI TS 103 090 V1.1.1 (2012-04)2Reference DTS/ESI-000108 Keywords conformity, e-commerce, electr
2、onic signature, extended validation certificates, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Impor
3、tant notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the
4、 Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Infor
5、mation on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No pa
6、rt may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2012. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered
7、 for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. SI printers ork drive ETSI ETSI TS 103 090 V1.1.1 (2012-04)3Con
8、tents Intellectual Property Rights 4g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 5g33.1 Definitions 5g33.2 Abbreviations . 5g34 Introduction 6g35 Assessment process 6g35.1 Additional audit req
9、uirements for EVC 6g35.2 Publication of the Assessment report . 7g35.3 Regular Surveillance activities . 7g35.4 Incidents handling 7g35.5 Reassessment 7g36 Requirements on TSP conformity assessment body 7g36.1 Competence criteria and qualification 7g37 Cross Border Assessments . 7g3Annex A (informat
10、ive): Self-declaration 8g3History 9g3ETSI ETSI TS 103 090 V1.1.1 (2012-04)4Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members a
11、nd non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org).
12、 Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the presen
13、t document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document covers Conformity Assessment for Trust Service Providers (TSP) issuing extended validation certificates. Introduction Electronic
14、commerce is emerging as the future way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic me
15、ans of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect the electronic signature is an important security component that can be used to protect information and provide
16、 trust in electronic business. The CA/Browser (CAB) Forum, an association of Certification Authorities and Web Browser providers, recognising the importance ensuring the authenticity of such Certificates have issued Guidelines for issuance and management of Certificates. Initially guidelines were is
17、sued at the “Extended Validation“(EV) level for web sites requiring enhanced security, and more recently second guidelines were issued at a “Baseline“ level providing a general baseline for securing access to any web site using SSL/TLS. These guidelines specify requirements addressing particular con
18、cerns over use of certificates for web site access and code signing. They do not, however, specify general best practices for how conformity to the guidelines and best practice for Certification Authorities is audited. Security is then recognised as a vital part of electronic commerce. This includes
19、 two essential security functions: firstly the security of access to web services using the Secure Socket Layer (SSL) protocol (now called Transport Layer Security - TLS), secondly the security of code send to users to support advanced functions using code signing. Both of these functions depend on
20、the security of a “Public Key Certificate“ (or Certificate as specified in ITU-T Recommendation X.509 i.4) which binds a security key to a known identity relating to the organisation responsible for the web site or code issued by a trusted service provider called a Certification Authority (CA). ETSI
21、, as part of the series of standard in support of electronic signatures, has developed a specification (TS 102 042 i.1) on “Policy Requirements for Certification Authorities issuing public key certificates“. This specifies general best practices for certification authorities covering topics such as
22、key management, personnel security and physical security. In addition, ETSI has published specific guidance on use of TS 102 042 i.1, with the CAB Forum guidelines for Extended Validation Certificates (TR 101 564 i.2) to assist certification authorities and auditors in interpreting the application o
23、f TS 102 042 i.1 to the CAB Forum EV Guidelines. The use of the specification TS 102 042 i.1 has been formally recognised by the CAB Forum for use with their Extended Validation guidelines. In order to assess the conformance of TSPs issuing Extended Validation Certificates, it is necessary for the o
24、peration of the TSP to be audited against this policy requirements. The present document specifies requirements and provided guidance for the carrying out of such audits. It builds on the general requirements for conformity assessment of TSPs specified in TS 119 403 1 using the approach for “volunta
25、ry accreditation“ making reference to these requirements and adding additional requirements as appropriate. ETSI ETSI TS 103 090 V1.1.1 (2012-04)51 Scope The present document specifies requirements and provides guidance for the supervision and assessment of a Trust Service Provider (TSP) issuing Ext
26、ended Validation Certificates (EVC) through the use of audit against TS 102 042 i.1. It references general requirements from TS 119 403 1 and adds further requirements as appropriate to EVC. 2 References References are either specific (identified by date of publication and/or edition number or versi
27、on number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be foun
28、d at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. 1 ETSI
29、 TS 119 403: “Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - General requirements and guidance“. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with
30、regard to a particular subject area. i.1 ETSI TS 102 042: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates“. i.2 ETSI TR 101 564: “Electronic Signatures and Infrastructures (ESI); Guidance on ETSI TS 102 042 for issui
31、ng extended validation certificates for auditors and CSPs“. i.3 Guidelines for The Issuance and Management of Extended Validation Certificates, CA Browser Forum. i.4 ITU-T Recommendation X.509: “Information technology - Open systems interconnection - The Directory: Public-key and attribute certifica
32、te frameworks“. 3 Definitions and abbreviations 3.1 Definitions For the purpose of the present document, the terms and definitions given in TS 102 042 i.1 and TS 119 403 1 apply. 3.2 Abbreviations For the purpose of the present document, the abbreviations given in TS 102 042 i.1 and TS 119 403 1 app
33、ly. ETSI ETSI TS 103 090 V1.1.1 (2012-04)64 Introduction This clause discusses the approach taken in TSP Conformity Assessment for issuing EVC. The Conformity Assessment for Extended validation Certificates (EVC) applies the general system for TSP Accrediation as illustrated in figure 1. g100g396g43
34、7g400g410g3g94g286g396g448g349g272g286g3g94g410g258g410g437g400g3g62g349g400g410g100g94g87g4g400g400g286g400g400g373g286g374g410g94g272g346g286g373g286g69g258g410g349g381g374g258g367g4g272g272g396g286g282g349g410g258g410g349g381g374g17g381g282g455g28g437g396g381g393g286g258g374g3g272g381g882g381g393
35、g286g396g258g410g349g381g374g3g296g381g396g3g4g272g272g396g286g282g349g410g258g410g349g381g374g3g894g28g4g895g100g396g437g400g410g3g94g286g396g448g349g272g286g94g410g258g410g437g400g69g381g410g349g296g349g272g258g410g349g381g374g17g381g282g455g4g400g400g286g400g400g373g286g374g410g396g286g395g437g28
36、6g400g410g4g400g400g286g400g400g373g286g374g410g90g286g393g381g396g410g100g94g87g18g381g374g296g381g396g373g349g410g455g4g400g400g286g400g400g373g286g374g410g3g17g381g282g455g4g400g400g286g400g400g373g286g374g410g4g400g400g286g400g400g373g286g374g410g18g396g349g410g286g396g349g258g4g400g400g286g400g
37、400g381g396g400g4g400g400g286g400g400g381g396g400g69g381g410g349g296g349g272g258g410g349g381g374Figure 1: Organisational Structure of TSP Assessment 5 Assessment process The assessment of the TSP issuing EVC shall be carried out as specified in clause 5 of TS 119 403 1. It is recommended that the ch
38、ecklist used for the assessment is based on TR 101 564 i.2, Annex A. It is recommended that the assessor produces an audit report addressing the topics identified in TR 101 564 i.2, Annex B. 5.1 Additional audit requirements for EVC Additional requirements on audit of TSPs issuing EVCs shall be take
39、n into account as indicated in section 14.1.1 of EVCG i.3. This section specifies that before issuing EVCs, the TSP shall have a currently valid TS 102 042 i.1 certification and then complete a point in time readiness audit against the TS 102 042 i.1 with the EVC conformant if needed. The TSP can us
40、e the checklist of TR 101 564 i.2, Annex A to be prepared for this assessment process (i.e. serving as a basis for self-declaration). These requirements shall be in accordance with clause 5.3 of TS 119 403 1. ETSI ETSI TS 103 090 V1.1.1 (2012-04)75.2 Publication of the Assessment report The assessme
41、nt report is provided to the Notification Body. In addition, the report may be provided to the browsers or application software providers by the TSP no later than three months after the end of the audit period as indicated in section 14.1.3 (3) of EVCG i.3. In the event of a delay greater than these
42、 three months, the TSP shall provide an explanation signed by the auditing body if requested. 5.3 Regular Surveillance activities The Notification Body and the TSP should define a programme of periodic surveillance and reassessment at sufficiently close intervals to verify that TSPs continue to comp
43、ly with the requirements. This programme should meet the requirements of clause 5.4 of TS 119 403 1 and section 14.1.2 of EVCG i.3. 5.4 Incidents handling The TSP shall be obliged to inform the Notification Body with all the information relevant of the incident without any unnecessary delay and foll
44、ow the requirements of clause 5.5 of TS 119 403 1. It is also recommended to notify the browsers or application software vendors. 5.5 Reassessment The TSP audit shall follow the requirements of clause 5.6 of TS 119 403 1. 6 Requirements on TSP conformity assessment body The Conformity Assessment Bod
45、y shall meet the requirements specified in clause 6 of TS 119 403 1. 6.1 Competence criteria and qualification In order to ensure that the team of assessors has at its disposal all necessary expertise, they shall meet the requirements of clause 6.2 of TS 119 403 1 and section 14.1.4 of EVCG i.3. 7 C
46、ross Border Assessments The TSP audit shall meet the requirements specified in clause 7 of TS 119 403 1. ETSI ETSI TS 103 090 V1.1.1 (2012-04)8Annex A (informative): Self-declaration Besides the classical administrative and identification information related to the TSP, yet another significant piece
47、 of information is recommended to be required from the TSP in the context of the initiation phase of the supervision of the TSPs services, namely the Self-declaration of compliance against supervision criteria of TS 102 042 i.1. The self-declaration of compliance could be based on a check-list organ
48、ised according to the following template indicated on Annex A of TR 101 564 i.2. On the start of activities of a TSP issuing EVCs into the market, it is however the responsibility and obligation of the Notification Body to implement its appropriate supervision system and to perform the appropriate c
49、ontrols foreseen in its supervision system upon reception of a notification of the provision of certification services subject to supervision. When notification information is inexistent, incomplete, insufficient or not satisfactory with regards to compliance with the supervision criteria, and when the consecutive supervision control reveals that the TSP fails to comply with the supervision criteria, it is up to the Notification Body to take the appropriate measures to enforce corrective actions on the
