Digests of Approval Profiles for IdP-related Services

The full tScheme profiles are available as PDF documents free of charge for non-commercial use. To track monitoring, you must register (free of charge) - this entitles the user to access to the restricted Approvals Profiles section. To register for access to the profiles please click here. Please also see the notes at the bottom of this page.

Base Approval Profile (tSd0111)
Profile for Identity Registration (tSd0108)
Profile for Credential Validation (tSd0109)
Profile for Attribute Registration (tSd0110)
Profile for an Identity Provider (tSd0112)
Profile for Credential Management (tSd0113)



Back to top

Base Approval Profile - tSd 0111 (Issue 3.00)

Summary
This document defines the base tScheme criteria against which Trust Services and the organisations which provide them must be successfully assessed in order to be eligible for a Grant of Approval. It is intended to be used in conjunction with individual Approval Profiles specific to particular service types.

Scope
Criteria are listed under assessment topics. For each topic, the basic assessment criteria are identified. These are followed by examples of the typical forms of evidence that could be provided to an assessor. The evidence indication, while being as comprehensive as possible, is intended neither to be exhaustive nor mandatory. In all cases, the actual evidence to be provided must be agreed in advance between the TSP and the tScheme-recognised Assessor.


Compliance with this Approval Profile will then be achieved by satisfying the criteria in the subsequent sub-sections [available in full text copies]

Back to top

Approval Profile for Identity Registration - tSd0108 (Issue 2.06)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of services to Government, individuals, system objects, corporate entities and other relying parties for the verification and registration of identity attributes.

Scope
The criteria given in this Approval Profile are related to Services that are established to enable an individual to register with an Identity Provider in order to gain the means of transacting electronically with relying parties. These relying parties, who will typically be either Trust Service Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom the electronic transaction appears to originate.

The Identity Service Provider links an electronic identity with a real-world identity. The registrant presents proof of their real-world identity (e.g. documentation such as Passport, Driving Licence or pre-existing electronic evidence) to the Identity Registration Service so that they can validate and verify the registrant’s claimed real-world identity. No specific constraint of scope is intended in this Profile on how these processes could be carried out. The verification process must, as a minimum, comply with the requirements laid down by one of the Recognised Verification Requirements, for example, the UK Government’s minimum requirements for the verification of the identity of individuals. As a result of a successful identity authentication, the registrant will be allocated an electronic identity, which might be the name of the registrant, a pseudonym or some other identifier (or combination thereof). They will then be issued with the means to authenticate themselves against this electronic identity; hereafter such means are termed a credential. In principle, the types of credential used by an Identity Provider could range widely and might involve an electronic or physical credential.

Examples of such credentials could include:

  1. a PIN and/or password (virtual credential);
  2. a one-time password generator or smartcard (physical credential);
  3. a biometric token (biometric credential).
Note that any further uses of the credential other than for credential authentication against the electronic identity are out of scope of this Profile. Finally, the Identity Registration Service must also provide, directly or indirectly, the means by which the lifecycle of the credential can be managed. For example, recovering or replacing lost PINs and passwords or smartcards.

This Profile is intended to support both organisations that act as Identity Providers and apply a defined set of requirements when validating and verifying identities of individuals already known to them, either as customers or employees etc, who then wish to provide these individuals with credentials that can be used to access online services from, amongst others, the UK government; and also commercial Identity Providers who are providing such credentials as a Service to a given community.

Back to top

Approval Profile for Credential Validation - tSd0109 (Issue 1.04)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of services to Government, individuals, system objects, corporate entities and other relying parties for the validation of credentials to enable the authentication of the identity of individuals.

Scope
The criteria given in this Approval Profile are related to Services that are established to enable an individual to register with an Identity Provider in order to gain the means of transacting electronically with relying parties. These relying parties, who will be either Trust Service Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom the electronic transaction appears to originate. The Identity Provider links an electronic identity with a real-world identity. The End User presents proof of their real-world identity (e.g. documentation such as Passport, Driving Licence or pre-existing electronic evidence) to the Identity Provider so that they can validate and verify the registrant’s claimed real-world identity, issue them with a credential and then (if appropriate) pass authentication information to support credential validation to a Credential Validation Service Provider. No specific constraint of scope is intended in this Profile on how these processes could be carried out.

For some simple credentials, such as those based on PIN and Password, all that the credential validation service does is to confirm that the credential is valid and has not been suspended or revoked; for more sophisticated credentials, such as Chip & PIN smartcards, the credential validation service can support a Challenge/Response function to provide additional assurance that the credential is being used by an End User that knows how to access the credential. However, assurance that it is the correct End User depends on the strength of the registration process and on the security applied to prevent improper access to the credential. These factors are out of scope for the credential validation service.

Back to top

Approval Profile for Attribute Registration - tSd0110 (Issue 1.00)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of Services to Government, individuals, system objects, corporate entities and other relying parties for the correlation of qualification evidence with an electronic identity sufficient to support addition of relevant attributes to the entity represented by the electronic identity.

Scope
The criteria given in this Approval Profile are related to Services that are established to enable an individual in possession of a credential to associate additional attributes with that credential in order to be able assert those attributes to relying parties. These relying parties, who will be either Trust Service Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom the electronic transaction appears to originate.

In order to be able to assert additional attributes within a scheme or community, an individual will make use of an Attribute Registration Service in order to demonstrate their right to assert such attributes (such as educational qualifications, proof of successful training, affiliation to a society or professional body, etc). The registrants will identify themselves to the Attribute Registration Service, and then apply for additional attributes to be associated with their electronic identity.

To identify themselves, the registrants will either use the appropriate credential or, if the process is within a managed scheme, present proof of their real-world identity sufficient to identify themselves within the scheme. No specific constraint of scope is intended in this Profile on how these processes could be carried out. Having identified themselves, the registrants will then produce evidence to support their claim that they are entitled to assert additional attributes. This attribute verification process must comply with rules published and understood by the scheme or community.

Back to top

Approval Profile for an Identity Provider - tSd0112 (Issue 1.00)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of an Identity Provider (IdP) Service.

Scope
The criteria given in this Approval Profile are related to the overall provision and life-cycle management of an Identity Credential (other than a PKI certificate, which is covered in the Approval Profile for a Certification Authority). Life-cycle management provides for the registration and verification of the particular identity attributes of the subject; initial creation and personalisation of credentials and/or tokens (as appropriate); the secure distribution of credentials/tokens, the maintenance of credential status; the potential for adding additional, verified attributes and the provision of suspension/revocation processes.

Some of these functions could be offered as stand-alone Services so, to avoid repetition of the related criteria, they have been removed from this Approval Profile and placed in appropriate service-specific Approval Profiles. Nevertheless they are still part of the provision of an Identity Provider Service. The Services that together make up the full Identity Provider Service, whether operated directly by the organisation offering the Identity Provider Service or whether outsourced to various other third parties, are required to fulfil the criteria defined in the following further Approval Profiles:


Some of these Services are regarded as being mandatory parts of an Identity Provider Service and the implied requirements of any text are mandatory, the other Services, referred to within ‘curly’ brackets, { …thus… }, are optional and the Identity Provider must make clear whether or not they are intending to be assessed against them.

The Identity Provider has responsibility for ensuring conformance with the procedures prescribed in the applicable Service Policy even when constituent part-Services are outsourced to third parties. This requires the inclusion in its Service Policy Disclosure Statement of relevant practices undertaken by all parties contributing to the overall Service provision. The Identity Provider may demonstrate directly the conformance to the appropriate Approval Profiles of the constituent Services or they may refer to prior tScheme Approvals awarded to those Services, where they remain current.

Back to top

Approval Profile for Credential Management - tSd0113 (Issue 1.00)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of Services to Government, individuals, system objects, corporate entities and other relying parties for the management of the lifecycle of credentials used to enable the authentication of the identity of individuals.

Scope
The criteria given in this Approval Profile are related to the provision of Services that manage the lifecycle of issued credentials. Such Services cover:

  1. the receipt of requests to revoke, suspend or otherwise change a credential’s status;
  2. the authentication and authorisation of such requests;
  3. the determination of a decision to change a credential’s status and associated actions;
  4. notification of status change to credential owners.
In the overall design of an Identity Provider Service there is likely to be some flexibility as to where the lifecycle management of credentials and, if applicable, additional attributes is performed. It will either be part of the Identity Provider Service itself or it will be performed by the appropriate registration service. It could also be a mixture of both with some registration service providers managing the lifecycle of credentials/attributes of their registrants with the remaining registrants managed by the overall Identity Provider Service. It is thus up to the Identity Provider Service to demonstrate that, as part of its overall Assessment, the relevant criteria in this Profile are satisfied for all their issued credentials and, if applicable, all associated additional attributes.

Back to top

Notes and legal disclaimer for those requesting profiles:

Anyone wishing to have access to these profiles as PDF files are required to complete the Order Form and supply an email address, upon receipt and confirmation of your details, we will send you a user name and password for the Profiles Online restricted area, where they can be downloaded and viewed. Your email will be retained solely for the purpose of demonstrating your request for access to these Profiles, it will not be used for any other purpose. We will not pass on your details to third parties.
tScheme is registered in the UK under the Data Protection Act.

The Profiles and other documents have been copyrighted by tScheme. They, and any subsequently produced documents, remain the intellectual property of tScheme Limited, and should not be distributed or reproduced in any way without prior consent from tScheme Limited. Ordering a copy of a profile in no way constitutes tScheme approval or membership. If you wish to submit a service for tScheme approval please contact tScheme directly. The Profiles are free for non-commercial use. By this we are not restricting access to businesses, but rather the Profiles must not be used in a way that directly generates revenue.


Back to top