Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider PKI Form n° 001A Application to grant, extend or renew an accreditation for a Certification Service Provider Modifications: address change 1, avenue du Swing L-4367 Belvaux Tél.: (+352) 247 743 - 53 Fax: (+352) 247 943 - 50 confiance-numerique@ilnas.etat.lu PKI Form no. 001A | 04.02.2013 | Version 03 Checked by Alain Wahl Approved by Jean-Philippe Humbert The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 1 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider Information about the form This questionnaire provides information about any application to grant, extend or renew the scope of accreditation. The general accreditation process is described in the document PKI_P001 – “Accreditation of Certification Service Providers issuing certificates or providing other services related to electronic signatures”. To grant or renew an accreditation, please kindly attach form F001B – Obligation for certification service providers completed and signed to this application form The Digital Trust Department of ILNAS undertakes to respect the confidentiality of the information provided in the questionnaire and attached documents. The documents forming part of an accreditation file, excluding the certificates of accreditation and the technical appendices, cannot be sent to third parties by the Digital Trust Department of ILNAS without the prior written agreement of the organization, except within the framework of a legal enquiry or a procedure of mutual acknowledgement. The Digital Trust Department of ILNAS does not publish the existence of an accreditation application in any way. Please do not fill in the areas that have not changed since the last questionnaire. In addition the organization is responsible for updating, with the Digital Trust Department of ILNAS, the information provided in this questionnaire, whenever necessary. This information will be made available to the Digital Trust Department assessors for each assessment, as well as to the Electronic Signature Committee reviewing the accreditation file. All of the documents relating to the way in which the Digital Trust Department of ILNAS functions can be found on the following Internet site: http://www.ilnas.public.lu The duly completed form must be sent or taken in an envelope marked "confidential" to: ILNAS Digital Trust Department 1, avenue du Swing L-4367 Belvaux Also please send an electronic copy of this form to the address confiance-numerique@ilnas.etat.lu This application can only be accepted if the administration costs due for an initial accreditation and for each reassessment have been paid. PKI Form no. 001A | 04.02.2013 | Version 03 If several applications for accreditation are made at the same time the administration costs are however payable only once. The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 2 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider A. General information A.1. Identification of the company or the institution under whose control the certification service provider operates name : street and no. : town : country : postcode : postal address : name of legal representative: company type : legal status : trade register no. : telephone : fax : web site : e-mail : position: PKI Form no. 001A | 04.02.2013 | Version 03 A.2. Principal activities of the company or the institution A.3. Is the company or institution part of a group? if so, which: The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 3 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider A.4. Does the company or the institution have any subsidiaries? if so, identify the main ones: B. Information about the certification service provider B.1. Identification of the applicant organization if different from the company or the institution name : street and no. : town : country : postcode : postal address : telephone : fax : web site : e-mail : PKI Form no. 001A | 04.02.2013 | Version 03 If the applicant organization has more locations from which it performs the CSP activities for which accreditation is sought, please specify these locations and the activities concerned on the next page. The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 4 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider PKI Form no. 001A | 04.02.2013 | Version 03 Specification of more locations from which the applicant organization performs CSP activities. Please also specify per location clearly the actual CSP activities performed there. name : street and no. : town : country : postcode : postal address : telephone : fax : web site : e-mail : CSP activity : name : street and no. : town : country : postcode : postal address : telephone : fax : web site : e-mail : CSP activity : Please copy this page as necessary to specify all locations. The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 5 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider B.2. Personnel applicant organization’s permanent staff or full-time equivalents: applicant organization’s technical staff or full-time equivalents: B.3. Reference language what is your reference language: B.4. Principal activities of the applicant organization if different from the company or institution B.5. This application concerns an accreditation demand for a: Note: For the different selected services, if the applicant organization is different from the certification service provider, please complete the summary table, by certificate level and CSP Service concerned, in appendix 1. Certification Service Provider which is a Certification Authority issuing qualified certificates1 Note: a CSP established in the Grand-Duché de Luxembourg and issuing qualified certificates shall notify the Digital Trust Department of ILNAS of its operations (“Loi du 14 août 2000 relative au commerce électronique” [see document PKI_F006]). Notification shall be given immediately upon the start of issuing qualified certificates (see document PKI_P005). The Certification Authority issuing qualified certificates provides these services: Registration Service [Standard ETSI TS 101 456:2007] Certificate Generation Service [Standard ETSI TS 101 456:2007] Dissemination Service [Standard ETSI TS 101 456:2007] PKI Form no. 001A | 04.02.2013 | Version 03 Revocation Management Service [Standard ETSI TS 101 456:2007] Revocation Status Service [Standard ETSI TS 101 456:2007] Subject Device Provision Service [Standard ETSI TS 101 456:2007] 1 A « Qualified Certificate » is a certificate which satisfies to the requirements aimed at the articles 2 and 3 of the « "Règlement grand-ducal du 1er juin 2001 relatif aux signatures électroniques, au paiement électronique, et à la création du comité "commerce électronique" ». A signature based on a qualified certificate must to be made using a Secure Signature Creation Device. The requirements of this device are defined in the article 4 of « "Règlement grand-ducal du 1er juin 2001 relatif aux signatures électroniques, au paiement électronique, et à la création du comité "commerce électronique” ». The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 6 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider Note: ETSI TS 101 456:2007 is the referential which provides « Policy requirements for certification authorities issuing qualified certificates ». A CSP seeking accreditation, under the ETSI TS 101 456:2007 standard, must apply in covering the six services provided in this form. A request for this kind of accreditation allows automatically the validation of request for other types of accreditation, proposed in this form, and according to the standard ETSI TS 102 042:2012. The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003]. Yes No If yes: EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system EDP Audit Statement issued to the certification service provider Note: CWA (CEN Workshop Agreement) 14167-1:2003 is the referential which provides « Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures – Part 1 : System Security Requirements ». Certification Service Provider which is a Certification Authority issuing public key certificates in reference with a “Normalized” Certificate Policy2 (NCP) The Certification Authority issuing public key certificate provides these services: Registration Service [Standard ETSI TS 102 042:2012] Certificate Generation Service [Standard ETSI TS 102 042:2012] Dissemination Service [Standard ETSI TS 102 042:2012] Revocation Management Service [Standard ETSI TS 102 042:2012] Revocation Status Service [Standard ETSI TS 102 042:2012] Subject Device Provision Service [Standard ETSI TS 102 042:2012] Note: ETSI TS 102 042:2012 is the referential which provides « Policy requirements for certification authorities issuing public key certificates ». The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003]. PKI Form no. 001A | 04.02.2013 | Version 03 Yes No If yes: EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system EDP Audit Statement issued to the certification service provider The “Normalized” Certificate Policy provides a level of quality the same as that offered by qualified certificates, without being tied to the Electronic Signature Directive (1999/93/EC) and without requiring use of a secure user (signing or decrypting) device. 2 The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 7 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider Certification Service Provider which is a Certification Authority issuing public key certificates in reference with a Lightweight Certificate Policy3 (LCP) The Certification Authority issuing public key certificate provides these services: Registration Service [Standard ETSI TS 102 042:2012] Certificate Generation Service [Standard ETSI TS 102 042:2012] Dissemination Service [Standard ETSI TS 102 042:2012] Revocation Management Service [Standard ETSI TS 102 042:2012] Revocation Status Service [Standard ETSI TS 102 042:2012] Subject Device Provision Service [Standard ETSI TS 102 042:2012] The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003]. Yes No If yes: EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system EDP Audit Statement issued to the certification service provider Certification Service Provider which is a Certification Authority issuing public key certificates in reference with an extended Normalized Certificate Policy4 (NCP+) The Certification Authority issuing public key certificate provides these services: Registration Service [Standard ETSI TS 102 042:2012] Certificate Generation Service [Standard ETSI TS 102 042:2012] Dissemination Service [Standard ETSI TS 102 042:2012] Revocation Management Service [Standard ETSI TS 102 042:2012] Revocation Status Service [Standard ETSI TS 102 042:2012] Subject Device Provision Service [Standard ETSI TS 102 042:2012] PKI Form no. 001A | 04.02.2013 | Version 03 The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003]. Yes No In addition to the NCP quality level, there’s a certification policy alternative, the requirements of which may be used where alternative levels of service can be justified through risk analysis. This alternative is referred to as the Lightweight Certificate Policy for use where a risk assessment does not justify the additional costs of meeting the more onerous requirements of the NCP (e.g physical presence). 3 In addition to the NCP quality level, there’s a certification policy alternative, the requirements of which may be used where alternative levels of service can be justified through risk analysis. This alternative is referred to as the extended Normalized Certificate (NCP+) for use where a secure user device (signing or decrypting) is considered necessary. 4 The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 8 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider If yes: EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system EDP Audit Statement issued to the certification service provider Certification Service Provider which is a Certification Authority issuing public key certificates in reference with an Extended Validation Certificate Policy5 (EVCP) The Certification Authority issuing public key certificate provides these services: Registration Service [Standard ETSI TS 102 042:2012] Certificate Generation Service [Standard ETSI TS 102 042:2012] Dissemination Service [Standard ETSI TS 102 042:2012] Revocation Management Service [Standard ETSI TS 102 042:2012] Revocation Status Service [Standard ETSI TS 102 042:2012] Subject Device Provision Service [Standard ETSI TS 102 042:2012] The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003]. Yes No If yes: EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system EDP Audit Statement issued to the certification service provider Certification Service Provider which is a Certification Authority issuing public key certificates in reference with an enhanced Extended Validation Certificate Policy6 (EVCP+) The Certification Authority issuing public key certificate provides these services: Registration Service [Standard ETSI TS 102 042:2012] Certificate Generation Service [Standard ETSI TS 102 042:2012] Dissemination Service [Standard ETSI TS 102 042:2012] PKI Form no. 001A | 04.02.2013 | Version 03 Revocation Management Service [Standard ETSI TS 102 042:2012] Revocation Status Service [Standard ETSI TS 102 042:2012] Subject Device Provision Service [Standard ETSI TS 102 042:2012] 5 The Extended Validation Certificate Policy (EVCP) is intended for use where provisions, additional to those indicated in NCP, are required to issue EVCs, consistently with what is specified in the EV Certificates Guidelines issued by the CAB Forum (http://www.cabforum.org). 6 The enhanced Extended Validation Certificate Policy (EVCP+) is intended for use where, in addition to the requirements to issue EVCs, a secure user device (signing or devrypting) is considered necessary. The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 9 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003]. Yes No If yes: EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system EDP Audit Statement issued to the certification service provider Certification Service Provider which is a Time stamping Authority [Standard ETSI TS 102 023:2008] Note: ETSI TS 102 023:2008 is the referential which provides « Policy requirements for timestamping authorities ». This application concerns: an initial accreditation a renewal of the accreditation an extension of the scope of the accreditation B.6. Person in charge of the organization7 full name : tel : e-mail : PKI Form no. 001A | 04.02.2013 | Version 03 B.7. Contact for the Digital Trust Department of ILNAS8 full name : position : tel : fax : e-mail : 7 Person who will report to the Digital Trust Department of ILNAS in relation to drawing up and circulating documents of a contractual nature (declaration, scope of the application for accreditation, etc.). 8 Person who will report to the Digital Trust Department of ILNAS in relation to scheduling audits, exchanges of information and documents. The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 10 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider B.8. List of accreditations or approvals issued by an authority, obtained or envisaged, at national or international level (Please indicate the body which issued the accreditation, the certificate policy level, the CSP service concerned, the dates of obtaining this and, if applicable, the expiry date as well as that of the next surveillance.) C. Documents to be attached to the application: 1 copy of the certificate policy; 1 copy of the public certification practice statement; PKI Form no. 001A | 04.02.2013 | Version 03 1 copy of the EDP Audit Statement confirming the trustworthiness of the system(s) used. The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 11 of 12 Digital Trust Department Application to grant, extend or renew an accreditation for a Certification Service Provider D. APPENDIX 1 PKI Form no. 001A | 04.02.2013 | Version 03 Certificate Policy level CSP Service concerned Date of the beginning of the service Business premises (Address & location) The updated version of this template is available on www.ilnas.lu The printed versions are not managed. Page 12 of 12