Digests of Issue 3 Approval Profiles

The full (and revised) tScheme profiles are available as PDF documents free of charge for non-commercial use. To track monitoring, you must register (free of charge) - this entitles the user to access to the restricted Approvals Profiles section. To register for access to the profiles please click here. Please also see the notes at the bottom of this page.

Base Approval Profile (tSd0111)
Profile for Registration Services (tSd0042)
Profile for a Certification Authority (tSd0102)
Profile for Signing Key Pair Management (tSd0103)
Profile for Certificate Generation (tSd0104)
Profile for Certificate Dissemination (tSd0105)
Profile for Certificate Status Management (tSd0106)
Profile for Certificate Status Validation (tSd0107)
Profile for Identity Services (tSd0108)
Profile for Credential Validation (tSd0109)



Back to top
Base Approval Profile - tSd 0111 (Issue 3.00)

Summary
This document defines the base tScheme criteria against which Trust Services and the organisations which provide them must be successfully assessed in order to be eligible for approval. It is intended to be used in conjunction with individual Approval Profiles specific to particular service types.

Criteria are listed under assessment topics. For each topic, the basic assessment criteria are identified. These are followed by examples of the typical forms of evidence that could be provided to an assessor. The evidence indication, while being as comprehensive as possible, is intended neither to be exhaustive nor mandatory. In all cases, the actual evidence to be provided must be agreed in advance between the TSP and the tScheme-recognised Assessor.

Compliance with this Approval Profile will then be achieved by satisfying the criteria in the succeeding sub-sections [available in full text copies]

Back to top
Approval Profile for Registration Services - tSd0042 (Issue 3.02)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of services to individuals, system objects, corporate entities and other organisations for the verification and registration of identity and other attributes.

Scope
The criteria given in this Approval Profile are related to the provision of services which verify and register claimed registrant attributes. No specific constraint of scope is intended in this profile on the types of attribute which can potentially be verified using these services, or how they can be verified. In principle, the types of attribute examined in a Registration Service could range widely. For example they could be those:

  1. associated with personal identity, such as name, address, and birth date;
  2. related to a registrant’s employment or position in society, such as name of employee, creditworthiness, bank account number or club membership;
  3. belonging to IT system objects such as Virtual Private Network nodes.
Notwithstanding this, tScheme does however offer support on specific Registration Services. These are provided in separate documents that are detailed under External Standards and Guidelines. To demonstrate compliance, providers of such Registration Services are recommended to ask their Assessors to assess conformance to these documents when performing their Assessment

Back to top
Approval Profile for a Certification Authority [[QC: issuing Qualified Certificates]] - tSd 0102 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of Certification Authority services.

Scope
The criteria given in this Approval Profile are related to the overall provision and life-cycle management of certification services [[QC: issuing Qualified Certificates]]. Life-cycle management provides for Services supporting the registration and verification of key holders, initial creation and personalisation of encryption keys, tokens and certificates, the secure distribution of keys/tokens and publication of certificates, the maintenance of certificate currency and validity through re-certification and revocation processes.

QC: Where the CA is issuing Qualified Certificates the provision of appropriate evidence must demonstrate explicitly compliance with the requirements of [DIR.99/93]. The S3A must address how the components of the service are inter-related and must apportion matters of ownership, management and operational responsibility for the functional components and how they are allocated to other departments of the business or outsourced to third parties. This information should supplement and make more service-specific the criteria required by the Base Approval Profile.

Note - where components of the services are outsourced to third parties the TSP must bear full liability for the overall service offering. Under these circumstances it is under no obligation to make public how it outsources these functions, although it may choose to do so.

Back to top
Approval Profile for Signing Key Pair Management - Ref. tSd 0103 (Issue 3.02)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of services which enable subscribers to Trust services to create digital signatures. 

Scope
  1. Generation of (or provision of the means of generating) private signing and public signature-verification key pairs (each key of which is from now on referred to respectively as: Signing Key and Verification Key);
  2. Provision of Signing keys, either unassigned or to their rightful subscribers, and their protection and control;
  3. Provision of Verification keys, either unassigned or to their rightful subscribers, and/or to a certificate generation service;
  4. Provision to subscribers of the means of creating signatures using the Signing keys;
  5. Signing capability revocation, i.e. the disablement of Signing keys under the subscriber or TSP’s instructions.

Back to top
Approval Profile for Certificate Generation - Ref. tSd 0104 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of Certificate Generation services.

Scope
This service component relies on:
  1. Services for the registration and verification of the identity of an entity who is entitled to a certificate, together with any qualifying attributes (date of birth, address, credit rating, etc.) as appropriate to the governing Certificate Policy, such as covered by the Approval Profile for Registration;
  2. cryptographic key generation such as covered by the Approval Profiles for Signing Key Pair Management and Confidentiality Key Pair Management.

Back to top
Approval Profile for Certificate Dissemination - Ref. tSd 0105 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of Certificate Dissemination services.

Scope
The criteria given in this Approval Profile are related to the provision of services which perform either or both of the following functions:
  1. The Provision of certificates to subscribers and, if the subscriber requests or permits, to potential relying parties;
  2. The Publication of a certificate through it being held in a repository for subsequent retrieval.

Back to top
Approval Profile for Certificate Status Management - Ref. tSd 0106 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of services to individuals, corporate entities and other organisations for the management of the validity status of certificates.

Scope
  1. The receipt of requests to revoke, suspend or otherwise change a certificate’s status;
  2. The authentication and authorisation of revocation requests;
  3. The determination of a decision to revoke and associated actions;
  4. Notification of status change to certificate owners.

Back to top
Approval Profile for Certificate Status Validation - Ref. tSd 0107 (Issue 3.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of services to individuals, system objects, corporate entities and other organisations for the verification of the validity status of certificates.

Scope
The criteria given in this Approval Profile are related to the provision of services that enable service users to determine the validity of a certificate at a defined time. The services include those that offer access to a published Certificate Revocation List (CRL), those that actively distribute such lists, and those that directly return the certificate's status to a requestor, for example as with the On-line Certificate Status Protocol (OCSP). This Profile does not assess Certificate Status Management, which would provide it with the information to publish. The scope is limited to only the verification of the status of a certificate and expressly excludes services that verify the signatures on certificates, signed documents or files.

Back to top
Approval Profile for Identity Services - tSd0108 (Issue 2.00)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of services to Government, individuals, system objects, corporate entities and other relying parties for the provision of credentials to enable the authentication of the identity of individuals.

Scope
The criteria given in this Approval Profile are related to Services that are established to enable an individual to register with the Identity Service Provider in order to gain the means of transacting electronically with relying parties. These relying parties, who will be either Trust Service Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom the electronic transaction appears to originate. The Identity Service Provider links an electronic identity with a real-world identity. The registrant presents proof of their real-world identity (e.g. documentation such as Passport, Driving Licence or pre-existing electronic evidence) to the Identity Service Provider so that they can validate and verify the registrant’s claimed real-world identity. No specific constraint of scope is intended in this Profile on how these processes could be carried out.

The verification process must, as a minimum, comply with the requirements laid down by one of the Recognised Verification Requirements, for example, the UK government’s minimum requirements for the verification of the identity of individuals. As a result of a successful identity authentication, the registrant will be allocated an electronic identity, which might be the name of the registrant, a pseudonym or some other identifier (e.g. National Insurance Number) or combination thereof. They will then be issued with the means to authenticate themselves against this electronic identity; hereafter such means are termed a credential. In principle, the types of credential used by an Identity Service Provider could range widely and might involve an electronic or physical credential.

Examples of such credentials could include:
  1. a PIN and/or password (knowledge credential);
  2. a public-key certificate (electronic credential);
  3. a biometric token (physical credential);
  4. an electronic token (virtual credential).
Note that any further uses of the credential other than for credential authentication against the electronic identity are out of scope of this Profile.

Finally, the Identity Service Provider must also provide, directly or indirectly, the means by which the lifecycle of the credential can be managed. For example, recovering or replacing lost PINs and passwords or revoking public-key certificates.

This Profile is intended both for large organisations that apply a defined set of requirements when validating and verifying identities of individuals already known to them, either as customers or employees etc, who then wish to provide these individuals with credentials that can be used to access online services from, amongst others, the UK government; and also for Identity Service Providers who are providing such credentials as a Service to a given community.

Back to top
Approval Profile for Credential Validation - tSd0109 (Issue 1.01)

Summary
This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for approval for the provision of services to Government, individuals, system objects, corporate entities and other relying parties for the validation of credentials to enable the authentication of the identity of individuals.

Scope
The criteria given in this Approval Profile are related to Services that are established to enable an individual to register with an Identity Service Provider in order to gain the means of transacting electronically with relying parties. These relying parties, who will be either Trust Service Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom the electronic transaction appears to originate.The Identity Service Provider links an electronic identity with a real-world identity. The End User presents proof of their real-world identity (e.g. documentation such as Passport, Driving Licence or pre-existing electronic evidence) to the Identity Service Provider so that they can validate and verify the registrant’s claimed real-world identity, issue them with a credential and then (if appropriate) pass authentication data to support credential validation to a Credential Validation Service Provider. No specific constraint of scope is intended in this Profile on how these processes could be carried out.

For some simple credentials, such as those based on PKI certificates, all that the credential validation service does is to confirm that the credential is valid and has not been suspended or revoked; for more sophisticated credentials, such as Chip & PIN smartcards, the credential validation service can support a Challenge/Response function to provide additional assurance that the credential is being used by an End User that knows how to access the credential. However, assurance that it is the correct End User depends on the strength of the registration process and on the security applied to prevent improper access to the credential. These factors are out of scope for the credential validation service.

Notes and legal disclaimer for those requesting profiles:

The profiles can be sent as PDF files electronically to the email address specified, but upon receipt and confirmation of your details, we will simply send you a user name and password for the Profiles Online restricted area, where they can be downloaded and viewed. For those ordering from overseas, we may contact you prior to sending the documents. To monitor the distribution and for marketing your details will be kept and you may receive further information from tScheme. We will not pass on your details to third parties, but if you do not want us to retain your data, please make this clear when confirming your order. tScheme is registered in the UK under the Data Protection Act.

The Profiles and other documents have been copyrighted by tScheme. They, and any subsequently produced documents, remain the intellectual property of tScheme Limited, and should not be distributed or reproduced in any way without prior consent from tScheme Limited. Ordering a copy of a profile in no way constitutes tScheme approval or membership. If you wish to submit a service for tScheme approval please contact tScheme directly.

The Profiles are free for non-commercial use. By this we are not restricting access to businesses, but rather the Profiles must not be used in a way that directly generates revenue.