Digests of Issue 3 Approval Profiles
The full tScheme profiles are available as PDF documents free of charge for non-commercial use. To track monitoring, you must register
(free of charge) - this entitles the user to access to the restricted Approvals Profiles section. To register for access to the profiles please
click here. Please also see the notes at the bottom of this page.
Base Approval Profile (tSd0111)
Profile for Registration Services (tSd0042)
Profile for a Certification Authority (tSd0102)
Profile for Signing Key Pair Management (tSd0103)
Profile for Certificate Generation (tSd0104)
Profile for Certificate Dissemination (tSd0105)
Profile for Certificate Status Management (tSd0106)
Profile for Certificate Status Validation (tSd0107)
Profile for Identity Services (tSd0108)
Profile for Credential Validation (tSd0109)
The topics are:
Compliance with this Approval Profile will then be achieved by satisfying the criteria in the subsequent sub-sections [available in full text copies]
Approval Profile for Registration Services - tSd0042 (Issue 3.02)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of services to individuals, system objects, corporate entities and other organisations for the verification and registration of
identity and other attributes.
Scope
The criteria given in this Approval Profile are related to the provision of services which verify and register claimed registrant attributes. No
specific constraint of scope is intended in this profile on the types of attribute which can potentially be verified using these services, or how they
can be verified. In principle, the types of attribute examined in a Registration Service could range widely. For example they could be those:
Notwithstanding this, tScheme does however offer support on specific Registration Services. These are provided in separate documents that are
detailed under External Standards and Guidelines. To demonstrate compliance,
providers of such Registration Services are recommended to ask their Assessors to assess conformance to these documents when performing their
Assessment
Approval Profile for a Certification Authority [[QC: issuing Qualified Certificates]] - tSd 0102 (Issue 3.01)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of Certification Authority services.
Scope
The criteria given in this Approval Profile are related to the overall provision and life-cycle management of certification services
[[QC: issuing Qualified Certificates]]. Life-cycle management provides for Services supporting the registration and verification of key holders,
initial creation and personalisation of encryption keys, tokens and certificates, the secure distribution of keys/tokens and publication of
certificates, the maintenance of certificate currency and validity through re-certification and revocation processes.
QC: Where the CA is issuing Qualified Certificates the provision of appropriate evidence must demonstrate explicitly compliance with the requirements
of [DIR.99/93]. The S3A must address how the components of the service are inter-related and must apportion matters of ownership, management and
operational responsibility for the functional components and how they are allocated to other departments of the business or outsourced to third
parties. This information should supplement and make more service-specific the criteria required by the Base Approval Profile.
Note - where components of the services are outsourced to third parties the TSP must bear full liability for the overall service offering. Under these
circumstances it is under no obligation to make public how it outsources these functions, although it may choose to do so.
Approval Profile for Signing Key Pair Management - Ref. tSd 0103 (Issue 3.02)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of services that enable subscribers to trust services to create digital signatures.
Scope
Approval Profile for Certificate Generation - Ref. tSd 0104 (Issue 3.01)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of Certificate Generation services.
Scope
This service component relies on:
Approval Profile for Certificate Dissemination - Ref. tSd 0105 (Issue 3.01)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of Certificate Dissemination services.
Scope
The criteria given in this Approval Profile are related to the provision of services that perform either or both of the following functions:
Approval Profile for Certificate Status Management - Ref. tSd 0106 (Issue 3.01)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of services to individuals, corporate entities and other organisations for the management of the validity status of certificates.
Scope
Approval Profile for Certificate Status Validation - Ref. tSd 0107 (Issue 3.01)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of services to individuals, system objects, corporate entities and other organisations for the verification of the validity status of
certificates.
Scope
The criteria given in this Approval Profile are related to the provision of services that enable service users to determine the validity of a certificate
at a defined time. The services include those that offer access to a published Certificate Revocation List (CRL), those that actively distribute such
lists, and those that directly return the certificate’s status to a requestor, for example as with the On-line Certificate Status Protocol (OCSP).
This Profile does not assess Certificate Status Management, which would provide it with the information to publish. The scope is limited to only the
verification of the status of a certificate and expressly excludes services that verify the signatures on certificates, signed documents or files.
Approval Profile for Identity Services - tSd0108 (Issue 2.00)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of services to Government, individuals, system objects, corporate entities and other relying parties for the provision of credentials to
enable the authentication of the identity of individuals.
Scope
The criteria given in this Approval Profile are related to Services that are established to enable an individual to register with the Identity Service
Provider in order to gain the means of transacting electronically with relying parties. These relying parties, who will typically be either Trust
Service Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom
the electronic transaction appears to originate.
The Identity Service Provider links an electronic identity with a real-world identity. The registrant presents proof of their real-world identity
(e.g. documentation such as Passport, Driving Licence or pre-existing electronic evidence) to the Identity Service Provider so that they can validate
and verify the registrant’s claimed real-world identity. No specific constraint of scope is intended in this Profile on how these processes could
be carried out. The verification process must, as a minimum, comply with the requirements laid down by one
of the Recognised Verification Requirements, for example, the UK Government’s minimum
requirements for the verification of the identity of individuals. As a result of a successful identity authentication, the registrant will be allocated
an electronic identity, which might be the name of the registrant, a pseudonym or some other identifier (e.g. National Insurance Number) or combination
thereof. They will then be issued with the means to authenticate themselves against this electronic identity; hereafter such means are termed a
credential. In principle, the types of credential used by an Identity Service Provider could range widely and might involve an electronic or physical
credential.
Examples of such credentials could include:
Note that any further uses of the credential other than for credential authentication against the electronic identity are out of scope of this Profile.
Finally, the Identity Service Provider must also provide, directly or indirectly, the means by which the lifecycle of the credential can be managed. For
example, recovering or replacing lost PINs and passwords or revoking public-key certificates.
This Profile is intended both for large organisations that apply a defined set of requirements when validating and verifying identities of individuals
already known to them, either as customers or employees etc, who then wish to provide these individuals with credentials that can be used to access
online services from, amongst others, the UK Government; and also for Identity Service Providers who are providing such credentials as a Service to a
given community.
Approval Profile for Credential Validation - tSd0109 (Issue 1.01)
Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for
the provision of services to Government, individuals, system objects, corporate entities and other relying parties for the validation of credentials to
enable the authentication of the identity of individuals.
Scope
The criteria given in this Approval Profile are related to Services that are established to enable an individual to register with an Identity Service
Provider in order to gain the means of transacting electronically with relying parties. These relying parties, who will be either Trust Service
Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom the
electronic transaction appears to originate. The Identity Service Provider links an electronic identity with a real-world identity. The End User
presents proof of their real-world identity (e.g. documentation such as Passport, Driving Licence or pre-existing electronic evidence) to the Identity
Service Provider so that they can validate and verify the registrant’s claimed real-world identity, issue them with a credential and then (if
appropriate) pass authentication data to support credential validation to a Credential Validation Service Provider. No specific constraint of scope is
intended in this Profile on how these processes could be carried out.
For some simple credentials, such as those based on PKI certificates, all that the credential validation service does is to confirm that the credential
is valid and has not been suspended or revoked; for more sophisticated credentials, such as Chip & PIN smartcards, the credential validation
service can support a Challenge/Response function to provide additional assurance that the credential is being used by an End User that knows how to
access the credential. However, assurance that it is the correct End User depends on the strength of the registration process and on the security
applied to prevent improper access to the credential. These factors are out of scope for the credential validation service.
Notes and legal disclaimer for those requesting profiles:
Anyone wishing to have access to these profiles as PDF files are required to complete the Order Form and supply an email address, upon receipt and
confirmation of your details, we will send you a user name and password for the Profiles Online restricted area, where they can be downloaded and
viewed. To monitor the distribution and for marketing purposes, your details will be kept and you may receive further information from tScheme.
We will not pass on your details to third parties, but if you do not want us to retain your data, please make this clear when confirming your order.
tScheme is registered in the UK under the Data Protection Act.
The Profiles and other documents have been copyrighted by tScheme. They, and any subsequently produced documents, remain the intellectual
property of tScheme Limited, and should not be distributed or reproduced in any way without prior consent from tScheme Limited. Ordering a
copy of a profile in no way constitutes tScheme approval or membership. If you wish to submit a service for tScheme approval please
contact tScheme directly. The Profiles are free for non-commercial use. By this we are not restricting
access to businesses, but rather the Profiles must not be used in a way that directly generates revenue.
Back to top