Index of documents supporting the Grant of Approval to the Health and Social Care Information Centre’s Root CA for NHS PKI service.

1. What the tScheme Approved Service Mark signifies.
2. Approved Service - Service Description
3. Approval Profiles used in the assessment:
   

   Base Approval Profile	tSd0111	3.00
   Approval Profile for Certificate Generation	tSd0104	3.01
   Approval Profile for Certificate Dissemination	tSd0105	3.01
   Approval Profile for Certificate Status Management	tSd0106	3.01

Back to Grant details

---

What the tScheme Approved Service Mark signifies

When a trust service carries the tScheme Mark, you can be secure in the knowledge that:

• the service has been thoroughly evaluated against rigorous criteria by independent experts;
  
  
• the service provider has agreed to keep to these criteria;
  
  
• the service provider subscribes to the tScheme Code of Conduct;
  
  
• the service provider has agreed to act promptly and fairly to remedy faults.
  
  

For each service, tScheme approval is regularly reviewed and may be withdrawn.

This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.

top

---

Approved Service - Service Description

The Approved service relates to the Health and Social Care Information Centre (NHS HSCIC) Root Certificate Authority for the NHS Public Key Infrastructure. The NHS PKI is controlled by HSCIC, which operates a Policy Management Authority (PMA) to define and control the service. British Telecommunications plc (NHS Service Provider) act as the operational enterprise for the NHS Root Certificate Authority, and conduct all the functional activity relating to the NHS Root Certificate Authority

The NHS Root Certificate Authority (level 0) is designed for the issuance of Digital Certificates only to level 1 Certificate Authorities operating under the NHS Root CA. HSCIC has full control over all Level 1 CAs. HSCIC, via the NHS Policy Management Authority, defines and has complete control over all important business aspects such as the Certificate Policy and registration practices etc. while BT runs the Root Certificate Authority at its secure Data Centre.

The NHS Root Certificate Authority (CA) is separate¹ from every other Certification service operated and managed by BT and is run in accordance with the NHS Policy Management Authority requirements and specifications for Root CA services. The certificates produced are manufactured to the profiles specified by HSCIC and are identified as NHS certificates.

Key features of the NHS Root Certificate Authority are:

• Complete managed service;
• Operating to defined Certificate Policy and Certificate Profile;
• Dedicated Certification Authority;
• Certificates identified as NHS operated and controlled;
• Standards compliant (for example Certificates are X.509 v3 compliant);
• Secure infrastructure designed to ISO 27001 and certified by independent audit;
• Supporting technologies have undergone external evaluations against established criteria (ITSEC, Common Criteria, and FIPS etc.);
• Support of a variety of cryptographic key management methods including smart cards, tokens etc is used, and;
• Physically remote secure business continuity and contingency facilities.

The NHS Root Certificate Authority is designed to satisfy the requirements of a Central Government organisation (DoH).

For further information, please see the NHS Root Certificate Authority PKI Disclosure Statement at ( http://systems.hscic.gov.uk/infogov/security/infrasec/nhspki/docs).

¹ This separation is both logical and physical.

top

---

The tScheme Code of Conduct

Participants in the electronic trust services industry strive:

• to act in an honest, fair, reasonable and trustworthy manner;
  
  
• not to bring electronic trust services into disrepute;
  
  
• to provide clear information about what each electronic trust service provides, including limitations and exclusions, to those who rely on that service;
  
  
• to meet service commitments and obligations;
  
  
• to be proactive in identifying and correcting faults and deficiencies in electronic trust services;
  
  
• to operate in accordance with appropriate standards;
  
  
• to act promptly in resolving complaints relating to electronic trust services.

top