1、 ETSI TS 119 403-2 V1.1.1 (2018-07) Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment; Part 2: Additional requirements for Conformity Assessment Bodies auditing Trust Service Providers that issue Publicly-Trusted Certificates TECHNICAL SPECIFICATION ETSI E
2、TSI TS 119 403-2 V1.1.1 (2018-07)2 Reference DTS/ESI-0019403-2 Keywords conformity, e-commerce, electronic signature, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Asso
3、ciation but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or pri
4、nt versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept o
5、n a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx
6、If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying an
7、d microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM
8、and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks re
9、gistered and owned by the GSM Association. ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Introduction 4g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations
10、 . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Requirements for CABs auditing TSPs that issue PTCs 7g34.1 General . 7g34.2 Audit Frequency (see ETSI EN 319 403, clause 7.4.6) 7g34.3 Audit Attestation 8g3Annex A (informative): Bibliography . 9g3History 10g3ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)4
11、Intellectual Property Rights Essential patents IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “I
12、ntellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, i
13、ncluding IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present document may inclu
14、de trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the presen
15、t document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 2 of a
16、 multi-part deliverable covering Trust Service Provider Conformity Assessment, as identified below: Part 1: “Requirements for conformity assessment bodies assessing Trust Service Providers“ (now existing as ETSI EN 319 403 to be issued as Part 1 when revised); Part 2: “Additional requirements for Co
17、nformity Assessment Bodies auditing Trust Service Providers that issue Publicly-Trusted Certificates“; Part 3: “Additional requirements for conformity assessment bodies assessing qualified trust service providers against the eIDAS Regulation requirements“. Modal verbs terminology In the present docu
18、ment “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except
19、when used in direct citation. Introduction ISO/IEC 17065 i.6 is an international standard which specifies general requirements for conformity assessment bodies (CABs) performing certification of products, processes, or services. These requirements are not focussed on any specific application domain
20、where CABs work. In ETSI EN 319 403 1 the general requirements of ISO/IEC 17065 i.6 are supplemented to provide additional dedicated requirements for CABs performing certification of trust service providers (TSPs) and the trust services they provide towards defined criteria against which they claim
21、conformance. ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)5 ETSI EN 319 403 1 aims to meet the general needs of the international community to provide trust and confidence in electronic transactions including, amongst others, applicable requirements from Regulation (EU) No 910/2014 i.1, and from CA/Browse
22、r Forum i.7 and i.8. Its aims include support of national accreditation bodies (NABs) as specified in Regulation (EC) No. 765/2008 i.2 in applying ISO/IEC 17065 i.6 for the accreditation of CABs that certify TSPs and the trust services they provide so that this is carried out in a consistent manner.
23、 In accordance with EC Regulation No 765/2008 i.2, attestations issued by conformity assessment bodies accredited by a NAB can be formally recognized across Europe. ETSI EN 319 403 1 supplements ISO/IEC 17065 i.6 by specifying additional requirements, e.g. on resources, on the assessment process and
24、 on the audit of a TSPs management system, as defined in ISO/IEC 17021 i.4 and in ISO/IEC 27006 i.5. The present document specifies supplementary requirements to those defined in ETSI EN 319 403 1 in order to provide additional dedicated requirements for CABs performing audits based on ETSI EN 319 4
25、11-1 i.9 and those from CA/Browser Forum, i.7 and i.8. ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)6 1 Scope The present document defines specific supplementary requirements to those defined in ETSI EN 319 403 1 for CABs performing audits based on ETSI EN 319 411-1 i.9 and those from CA/Browser Forum, i.
26、7 and i.8. In particular, the present document defines the requirements for audit attestations, including their content. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific refe
27、rences, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at https:/docbox.etsi.org/Reference. NOTE:
28、While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity. The following referenced documents are necessary for the application of the present document. 1 ETSI EN 319 403: “Electronic Signatures and Infrastructures (ESI); Trust
29、 Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers“. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references,
30、only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity. The following refer
31、enced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions i
32、n the internal market and repealing Directive 1999/93/EC. NOTE: Available at http:/eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG. i.2 EC Regulation No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditat
33、ion and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93. i.3 ETSI TR 119 001: “Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures; Definitions and abbreviations“. i.4 ISO/IEC 17021: “Conformity assessmen
34、t - Requirements for bodies providing audit and certification of management systems“. i.5 ISO/IEC 27006: “Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems“. ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)7 i.6
35、 ISO/IEC 17065: “Conformity assessment - Requirements for bodies certifying products, processes and services“. i.7 CA/Browser Forum (V1.6.8): “Guidelines for The Issuance and Management of Extended Validation Certificates“. i.8 CA/Browser Forum (V1.5.9): “Baseline Requirements Certificate Policy for
36、 the Issuance and Management of Publicly-Trusted Certificates“. i.9 ETSI EN 319 411-1: “Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers issuing certificates; Part 1: General requirements“. 3 Definitions and abbreviations 3.1 Definitions F
37、or the purposes of the present document, the terms and definitions given in ETSI TR 119 001 i.3 and the following apply: Publicly-Trusted Certificate (PTC): certificate trusted by virtue of the fact that its corresponding Root Certificate is distributed as a trust anchor in widely-available applicat
38、ion software NOTE 1: See ETSI EN 319 411-1 i.9. NOTE 2: Within the context of the present document, PTC is used synonymously with EVC, DVC, IVC and OVC as per CA/B Forum documents i.7 and i.8. The purpose of PTC is described in BRG i.8, clause 1.4.1. 3.2 Abbreviations For the purposes of the present
39、 document, the abbreviations given in ETSI TR 119 001 i.3 and the following apply: CA/B Forum Certification Authority and Browser Forum CAB Conformity Assessment Body PTC Publicly-Trusted Certificate4 Requirements for CABs auditing TSPs that issue PTCs 4.1 General PTA-4.1-01: The requirements define
40、d in ETSI EN 319 403 1 shall apply. The following clauses define additional requirements. 4.2 Audit Frequency (see ETSI EN 319 403, clause 7.4.6) PTA-4.2-01: A full-surveillance audit shall be conducted no less frequently than annually. PTA-4.2.02: Updated audit information shall be provided no less
41、 frequently than annually. PTA-4.2.03: Successive audits shall include an evaluation of evidence produced since the last audit. ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)8 4.3 Audit Attestation PTA-4.3-01: The Audit Attestation for TSPs issuing publicly-trusted certificates shall provide sufficient det
42、ails to demonstrate that the audited TSP fulfilled the requirements from ETSI EN 319 411-1 i.9 and those from CA/Browser Forum, i.7 and i.8. In particular: PTA-4.3-02: The Audit Attestation shall be written in English. PTA-4.3-03: The Audit Attestation shall be in a “text searchable“ PDF format. PTA
43、-4.3-04: The Audit Attestation shall be uploaded to their auditors website. PTA-4.3-05: The Audit Attestation shall list the date on which the audit letter was written. PTA-4.3-06: The Audit Attestation shall have the CABs name in the audit letter as well as the CABs address, the CABs contact inform
44、ation and information about the CABs accreditation. PTA-4.3-07: The Audit Attestation shall be issued annually. PTA-4.3-08: The Audit Attestation shall be issued only if no critical non-conformities are identified. PTA-4.3-09: The Audit Attestation shall include a clear identification of the audited
45、 TSP. PTA-4.3-10: The Audit Attestation shall list the full name, SHA256 thumbprints of the CA certificates of the TSP services that have been audited, and the applied policies of the audited TSP. PTA-4.3-11: The Audit Attestation shall state the start and end dates of the period that was audited. P
46、TA-4.3-12: The Audit Attestation shall list the audit standards that were used during the audit and list the full name and version of the audit standards referenced. PTA-4.3-13: The Audit Attestation shall list the policy and practice statement documents of the TSP that the audit was based on. PTA-4
47、.3-14: The Audit Attestation shall list the city, state/province (if applicable), and country of all relevant physical locations used in Certification Authority operations. NOTE: Root programs relying on audits based on ETSI EN 319 403 1 may place additional requirements on the audit attestations fo
48、r TSPs issuing publicly-trusted certificates. ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)9 Annex A (informative): Bibliography ENISA: “Guidelines on supervision of qualified trust services; Technical guidelines on trust services“, December 2017. ISBN: 978-92-9204-190-8. NOTE: Available at https:/www.enisa.europa.eu/publications/tsp-initiation. ETSI ETSI TS 119 403-2 V1.1.1 (2018-07)10 History Document history V1.1.1 July 2018 Publication