Thales Blog

Harmonising European Audit Standards For Certification Authorities

May 22, 2012

Ensuring that Certification Authorities (CA), and other trust service providers, operate securely and follow current best practice is essential to the security of modern electronic services.

The European Telecommunications Standards Institute (ETSI), working with the international CA and web browser community, and in line with the emerging European regulatory environment for trust and confidence in electronic transactions, have recently issued a number of standards (follow link and search for Trust Service Provider) for assuring the secure operation of trusted service providers supporting the security of electronic transactions.

Much of the Internet and modern e-commerce depends on trusted service providers to establish security between users and their services. When accessing a web site securely, a public key certificate (as defined in X.509) is required to certify the identity of the web site; when digitally signing a PDF document, a certificate is required to certify the identity of the person signing; when providing a high assurance identity for logging in to a remote web service a certificate is required. All these different certificates are provided by a Certification Authority (CA) which is trusted to check identities and properly manage the certificates.

In order to known to be trustworthy it is important that a Certification Authority is audited by an independent body against recognised best practice. A number of schemes exist for auditing the operation of such CAs: for web site certificates CAB Forum have specified guidelines for the issuance of ‘Baseline’ and ‘Extended Validation’ web site certificates; for electronic signatures European nations have established various ‘supervisory schemes’ for providers of ‘qualified’ certificates used for signing with legal equivalence to handwritten signatures; for identity certificates Kantara have established an identity assurance framework. Currently each of frameworks for has developed independently with no harmonisation, particularly across Europe. However, each scheme has its own approach and there is no consistency of approach, particularly in the area of electronic signatures.

The need for greater harmonisation for electronic signatures, and also the link between trusted services for electronic signatures with those used for other forms of identification and authentication has been recognised by the European Commission. It has established a programme to both strengthen the existing standardisation and regulatory framework for electronic signatures as well as widen its scope to other services for identification and authentication. As part of this work ETSI, a leading European standardisation body with direct membership of commercial enterprises, is establishing a number of standards for assuring the trustworthiness of Certification Authorities and other related Trust Service Providers (e.g. time-stamping, identity assertions). A number of standards have been released for the audit of CAs and trust service providers covering both electronic signature and web site certificates:

  • TS 119 403 Trust Service Providers Conformity Assessment – general requirements and guidance
    This provides a general framework for audit and assessment of trust services across Europe
  • TS 103 090 Conformity Assessment for Trust Service Providers issuing [CAB Forum] Extended Validation Certificates
    This applies the framework to audit of Certification Authorities issuing web server certificates in line with the CA Browser form ‘Guidelines for the issuance and management of Extended Validation Certificates’
  • Draft EN 319 401 General Policy Requirements for Trust Service Providers
    This specifies common requirements for the operation of trust services based on ISO 27 000 information security management. When ratified as a European Norm (EN) this has to be taken into account for any major governmental European procurement.
  • Draft EN 319 411 –2 & EN 319 411-3: Policy and security requirements for Trust Service Providers issuing certificates [parts 2 for qualified certificates and part 3 for other public key certificates]
  • This specifies requirements for certification authorities issuing certificates covering qualified certificates required for electronic signature regulations in Europe (part 2) and requirements for certification authorities issuing other forms of certificate including Extended Validation certificates in line with the CA Browser forum guidelines.
  • TR 101 564 Guidance on ETSI TS 102 042 (now draft EN 319 411-3) for Issuing [CAB Forum] Extended Validation Certificates for Auditors and CSPs

This document provides guidance on the application of the EN 319 411-3 to Extended Validation certificates for secure web servers.

Note: Further specifications are due to be issued later this year to take into account the recent guidelines of the CA Browser forum in defining a general ‘Baseline’ for Certification Authorities issuing web server certificates.

With the availability of these specifications and upcoming regulations strengthening the European Directive on Electronic signatures there will be a strong common infrastructure for assessment of trust services across Euope.