Index of documents supporting the Grant of Approval to BT’s Assure PKI Service.
| Base Approval Profile | tSd0111 | 3.00 |
| Approval Profile for Registration Services | tSd0042 | 3.02 |
| Approval Profile for a Certification Authority | tSd0102 | 3.01 |
| Approval Profile for Signing Key Pair Management | tSd0103 | 3.02 |
| Approval Profile for Certificate Generation | tSd0104 | 3.01 |
| Approval Profile for Certificate Dissemination | tSd0105 | 3.01 |
| Approval Profile for Certificate Status Management | tSd0106 | 3.01 |
| Approval Profile for Certificate Status Validation | tSd0107 | 3.01 |
What the tScheme Approved Service Mark signifies
When a trust service carries the tScheme Mark, you can be secure in the knowledge that:
For each service, tScheme approval is regularly reviewed and may be withdrawn.
This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.
Approved Service - Service Description
The subject service of this Grant of Approval is the Managed Public Key Infrastructure (PKI) Security service from British Telecommunications Plc.
BT Managed Public Key Infrastructure (PKI) Security is a managed service that provides the technology and processes required to issue digital certificates. The service is suitable for any organisation that needs to issue certificates - these can be issued under either the Symantec Trust Network (STN) public hierarchy and the STN CPS or the Customer’s own self-signed root and the non-STN CPS.
Within Managed PKI Security, the Registration Authority (RA) and Certification Authority (CA) functions are separated. The customer organisation performs the RA function and BT performs the CA function.
This arrangement allows the customer RA function to apply validation criteria that are
based on its local business knowledge and approve or reject certificate requests using its own business rules. It also allows the organisation to
delegate the complex and difficult CA management function to a specialist organisation that has the infrastructure and practices required to protect
and manage sensitive CA Keys and PKI records. Specific CA functions managed by BT are:
BT uses its own RA to validate requests for the service, confirming that the applicant company is registered and that the Managed PKI Security Administrator has the organisational authority required to operate the RA and enter into the Managed PKI Security contract on the applicant company’s behalf.
Following acceptance of the request a new CA Certificate is issued and the CA signing keys installed at the secure CA facility operated by BT.
The service is built using Symantec technology and utilises industry standard protocols to protect order information and to deliver certificates. Employees, or customers, of the subscribing organisation apply for end user certificates from a local web site using their browser. Requests are validated by the local RA, digitally signed & encrypted and then sent to the CA, where certificates are constructed and signed using the organisation’s CA Digital Certificate.
BT provides the Managed PKI Security customer with certificate status data, either in the form of a Certificate Revocation List or through the use of the Online Certificate Status Protocol (OCSP), to validate certificates within their application(s). (Note: OCSP is not available to Managed PKI Security FastTrack customers). BT also provides status information to relying parties.
For further information, please see the Service Policy Disclosure Statement. This can be found by clicking on the Service Policy Disclosure Statement link in the How We Can Help section at: https://www.globalservices.bt.com/uk/en/products/managed-pki-security
Participants in the electronic trust services industry strive: