Digests of Issue 3 Approval Profiles for PKI-related Services

The full tScheme profiles are available as PDF documents free of charge for non-commercial use. To track monitoring, you must register (free of charge) - this entitles the user to access to the restricted Approvals Profiles section. To register for access to the profiles please click here. Please also see the notes at the bottom of this page.

Base Approval Profile (tSd0111)
Profile for Registration Services (tSd0042)
Profile for a Certification Authority (tSd0102)
Profile for Signing Key Pair Management (tSd0103)
Profile for Certificate Generation (tSd0104)
Profile for Certificate Dissemination (tSd0105)
Profile for Certificate Status Management (tSd0106)
Profile for Certificate Status Validation (tSd0107)



Back to top

Base Approval Profile - tSd 0111 (Issue 3.00)

Summary
This document defines the base tScheme criteria against which Trust Services and the organisations which provide them must be successfully assessed in order to be eligible for a Grant of Approval. It is intended to be used in conjunction with individual Approval Profiles specific to particular service types.

Scope
Criteria are listed under assessment topics. For each topic, the basic assessment criteria are identified. These are followed by examples of the typical forms of evidence that could be provided to an assessor. The evidence indication, while being as comprehensive as possible, is intended neither to be exhaustive nor mandatory. In all cases, the actual evidence to be provided must be agreed in advance between the TSP and the tScheme-recognised Assessor.


Compliance with this Approval Profile will then be achieved by satisfying the criteria in the subsequent sub-sections [available in full text copies]

Back to top

Approval Profile for Registration Services - tSd0042 (Issue 3.02)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of services to individuals, system objects, corporate entities and other organisations for the verification and registration of identity and other attributes.

Scope
The criteria given in this Approval Profile are related to the provision of services that verify and register claimed registrant attributes. No specific constraint of scope is intended in this profile on the types of attribute that can potentially be verified using these services, or how they can be verified. In principle, the types of attribute examined in a Registration Service could range widely. For example they could be those:

  1. associated with personal identity, such as name, address, and birth date;
  2. related to a registrant’s employment or position in society, such as name of employee, creditworthiness, bank account number or club membership;
  3. belonging to IT system objects such as Virtual Private Network nodes.

Notwithstanding this, tScheme does however offer support on specific Registration Services. These are provided in separate documents that are detailed under External Standards and Guidelines. To demonstrate compliance, providers of such Registration Services are recommended to ask their Assessors to assess conformance to these documents when performing their Assessment

Back to top

Approval Profile for a Certification Authority [[QC: issuing Qualified Certificates]] - tSd 0102 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of approval for the provision of Certification Authority (CA) services.

Scope
The criteria given in this Approval Profile are related to the overall provision and life-cycle management of certification services [[QC: issuing Qualified Certificates]]. Life-cycle management provides for Services supporting the registration and verification of key holders, initial creation and personalisation of encryption keys, tokens and certificates, the secure distribution of keys/tokens and publication of certificates, the maintenance of certificate currency and validity through re-certification and revocation processes.

Some of these functions could be offered as stand-alone Services so, to avoid repetition of the related criteria, they have been removed from this Approval Profile and placed in appropriate service-specific Approval Profiles. Nevertheless they are still part of the provision of a CA Service. The Services that together make up the full CA Service, whether operated directly by the organisation offering the CA Service or whether outsourced to various other third parties, are required to fulfil the criteria defined in the following further Approval Profiles:

  • Registration
  • {Signing Key Management}
  • Certificate Generation
  • Certificate Dissemination
  • Certificate Status Management
  • Certificate Status Validation

Some of these Services are regarded as being mandatory parts of a CA Service and the implied requirements of any text are mandatory, the other Services, referred to within ‘curly’ brackets, { …thus… }, are optional and the CA must make clear whether or not they are intending to be assessed against them.

The CA has responsibility for ensuring conformance with the procedures prescribed in the applicable Certificate Policy even when constituent part-Services are outsourced to third parties. This requires the inclusion in its Certificate Practice Statement (or PKI Disclosure Statement) of relevant practices undertaken by all parties contributing to the overall Service provision. The CA may demonstrate directly the conformance to the appropriate Approval Profiles of the constituent Services or they may refer to prior tScheme Approvals awarded to those Services, where they remain current. Note - where components of the services are outsourced to third parties the CA must bear full liability for the overall service offering. Under these circumstances it is under no obligation to make public how it outsources these functions, although it may choose to do so

QC: Where the CA is issuing Qualified Certificates the provision of appropriate evidence must demonstrate explicitly compliance with the requirements of [DIR.99/93]. The S3A must address how the components of the service are inter-related and must apportion matters of ownership, management and operational responsibility for the functional components and how they are allocated to other departments of the business or outsourced to third parties. This information should supplement and make more service-specific the criteria required by the Base Approval Profile.

Back to top

Approval Profile for Signing Key Pair Management - Ref. tSd 0103 (Issue 3.02)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of services that enable subscribers to trust services to create digital signatures.

Scope
The criteria given in this Approval Profile are related to the provision of Key Management Services that enable subscribers to Trust Services to create digital signatures. Specific aspects of these Services include:

  1. Generation of (or provision of the means of generating) private signing and public signature-verification key pairs (each key of which is from now on referred to respectively as: Signing Key and Verification Key);
  2. Provision of Signing keys, either unassigned or to their rightful subscribers, and their protection and control;
  3. Provision of Verification keys, either unassigned or to their rightful subscribers, and/or to a certificate generation service;
  4. Provision to subscribers of the means of creating signatures using the Signing keys;
  5. Signing capability revocation, i.e. the disablement of Signing keys under the subscriber or TSP’s instructions.

Back to top

Approval Profile for Certificate Generation - Ref. tSd 0104 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of Certificate Generation services.

Scope
The criteria given in this Approval Profile are related to the provision of Services that result in the creation of an electronic certificate, signed on behalf of an issuing CA in a manner conforming to a published Certificate Policy.

This Service’s function may operate in cooperation with:

  1. services for the registration and verification of the identity of an entity who is entitled to a certificate, together with any qualifying attributes (date of birth, address, credit rating, etc.) as appropriate to the governing Certificate Policy, such as covered by the Approval Profile for Registration;
  2. cryptographic key generation such as covered by the Approval Profiles for Signing Key Pair Management.

Back to top

Approval Profile for Certificate Dissemination - Ref. tSd 0105 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of Certificate Dissemination services.

Scope
The criteria given in this Approval Profile are related to the provision of services that perform either or both of the following functions:

  1. the provision of certificates to subscribers and, if the subscriber requests or permits, to potential relying parties;
  2. the publication of a certificate through it being held in a repository for subsequent retrieval.

Back to top

Approval Profile for Certificate Status Management - Ref. tSd 0106 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of services to individuals, corporate entities and other organisations for the management of the validity status of certificates.

Scope
The criteria given in this Approval Profile are related to the provision of Services that manage the status of issued certificates. These Services cover:

  1. the receipt of requests to revoke, suspend or otherwise change a certificate’s status;
  2. the authentication and authorisation of revocation requests;
  3. the determination of a decision to revoke and associated actions;
  4. notification of status change to certificate owners.

Back to top

Approval Profile for Certificate Status Validation - Ref. tSd 0107 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of approval for the provision of services to individuals, system objects, corporate entities and other organisations for the verification of the validity status of certificates.

Scope
The criteria given in this Approval Profile are related to the provision of services that enable service users to determine the validity of a certificate at a defined time. The services include those that offer access to a published Certificate Revocation List (CRL), those that actively distribute such lists, and those that directly return the certificate’s status to a requestor, for example as with the On-line Certificate Status Protocol (OCSP).

This Profile does not assess Certificate Status Management, which would provide it with the information to publish. The scope is limited to only the verification of the status of a certificate and expressly excludes services that verify the signatures on certificates, signed documents or files.

Back to top

Notes and legal disclaimer for those requesting profiles:

Anyone wishing to have access to these profiles as PDF files are required to complete the Order Form and supply an email address, upon receipt and confirmation of your details, we will send you a user name and password for the Profiles Online restricted area, where they can be downloaded and viewed. Your email will be retained solely for the purpose of demonstrating your request for access to these Profiles, it will not be used for any other purpose. We will not pass on your details to third parties.
tScheme is registered in the UK under the Data Protection Act.

The Profiles and other documents have been copyrighted by tScheme. They, and any subsequently produced documents, remain the intellectual property of tScheme Limited, and should not be distributed or reproduced in any way without prior consent from tScheme Limited. Ordering a copy of a profile in no way constitutes tScheme approval or membership. If you wish to submit a service for tScheme approval please contact tScheme directly. The Profiles are free for non-commercial use. By this we are not restricting access to businesses, but rather the Profiles must not be used in a way that directly generates revenue.


Back to top