Manuel Qualité - Institut luxembourgeois de la normalisation, de l

advertisement
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
PKI Form n° 001A
Application to grant, extend or renew
an accreditation for a
Certification Service Provider
Modifications: address change
1, avenue du Swing
L-4367 Belvaux
Tél.: (+352) 247 743 - 53
Fax: (+352) 247 943 - 50
confiance-numerique@ilnas.etat.lu
PKI Form no. 001A | 04.02.2013 | Version 03
Checked by Alain Wahl
Approved by Jean-Philippe Humbert
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 1 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
Information about the form
This questionnaire provides information about any application to grant, extend or renew the scope
of accreditation. The general accreditation process is described in the document PKI_P001 –
“Accreditation of Certification Service Providers issuing certificates or providing other services related
to electronic signatures”.
To grant or renew an accreditation, please kindly attach form F001B – Obligation for
certification service providers completed and signed to this application form
The Digital Trust Department of ILNAS undertakes to respect the confidentiality of the information
provided in the questionnaire and attached documents.
The documents forming part of an accreditation file, excluding the certificates of accreditation and the
technical appendices, cannot be sent to third parties by the Digital Trust Department of ILNAS without
the prior written agreement of the organization, except within the framework of a legal enquiry or a
procedure of mutual acknowledgement. The Digital Trust Department of ILNAS does not publish the
existence of an accreditation application in any way.
Please do not fill in the areas that have not changed since the last questionnaire.
In addition the organization is responsible for updating, with the Digital Trust Department of ILNAS, the
information provided in this questionnaire, whenever necessary. This information will be made
available to the Digital Trust Department assessors for each assessment, as well as to the Electronic
Signature Committee reviewing the accreditation file.
All of the documents relating to the way in which the Digital Trust Department of ILNAS functions can
be found on the following Internet site: http://www.ilnas.public.lu
The duly completed form must be sent or taken in an envelope marked "confidential" to:
ILNAS
Digital Trust Department
1, avenue du Swing
L-4367 Belvaux
Also please send an electronic copy of this form to the address
confiance-numerique@ilnas.etat.lu
This application can only be accepted if the administration costs due for an initial accreditation and for
each reassessment have been paid.
PKI Form no. 001A | 04.02.2013 | Version 03
If several applications for accreditation are made at the same time the administration costs are
however payable only once.
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 2 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
A. General information
A.1. Identification of the company or the institution under whose control the certification
service provider operates
name
:
street and no.
:
town
:
country
:
postcode
:
postal address
:
name of legal representative:
company type
:
legal status
:
trade register no.
:
telephone
:
fax
:
web site
:
e-mail
:
position:
PKI Form no. 001A | 04.02.2013 | Version 03
A.2. Principal activities of the company or the institution
A.3. Is the company or institution part of a group?
if so, which:
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 3 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
A.4. Does the company or the institution have any subsidiaries?
if so, identify the main ones:
B. Information about the certification service provider
B.1. Identification of the applicant organization if different from the company or the institution
name
:
street and no.
:
town
:
country
:
postcode
:
postal address
:
telephone
:
fax
:
web site
:
e-mail
:
PKI Form no. 001A | 04.02.2013 | Version 03
If the applicant organization has more locations from which it performs the CSP activities for which
accreditation is sought, please specify these locations and the activities concerned on the next page.
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 4 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
PKI Form no. 001A | 04.02.2013 | Version 03
Specification of more locations from which the applicant organization performs CSP activities. Please
also specify per location clearly the actual CSP activities performed there.
name
:
street and no.
:
town
:
country
:
postcode
:
postal address
:
telephone
:
fax
:
web site
:
e-mail
:
CSP activity
:
name
:
street and no.
:
town
:
country
:
postcode
:
postal address
:
telephone
:
fax
:
web site
:
e-mail
:
CSP activity
:
Please copy this page as necessary to specify all locations.
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 5 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
B.2. Personnel
applicant organization’s permanent staff or full-time equivalents:
applicant organization’s technical staff or full-time equivalents:
B.3. Reference language
what is your reference language:
B.4. Principal activities of the applicant organization if different from the company or institution
B.5. This application concerns an accreditation demand for a:
Note: For the different selected services, if the applicant organization is different from the certification
service provider, please complete the summary table, by certificate level and CSP Service concerned,
in appendix 1.
Certification Service Provider which is a Certification Authority issuing qualified
certificates1
Note: a CSP established in the Grand-Duché de Luxembourg and issuing qualified certificates
shall notify the Digital Trust Department of ILNAS of its operations (“Loi du 14 août 2000 relative
au commerce électronique” [see document PKI_F006]). Notification shall be given immediately
upon the start of issuing qualified certificates (see document PKI_P005).
 The Certification Authority issuing qualified certificates provides these services:
Registration Service
[Standard ETSI TS 101 456:2007]
Certificate Generation Service
[Standard ETSI TS 101 456:2007]
Dissemination Service
[Standard ETSI TS 101 456:2007]
PKI Form no. 001A | 04.02.2013 | Version 03
Revocation Management Service [Standard ETSI TS 101 456:2007]
Revocation Status Service
[Standard ETSI TS 101 456:2007]
Subject Device Provision Service
[Standard ETSI TS 101 456:2007]
1
A « Qualified Certificate » is a certificate which satisfies to the requirements aimed at the articles 2 and 3 of the
« "Règlement grand-ducal du 1er juin 2001 relatif aux signatures électroniques, au paiement électronique, et à la
création du comité "commerce électronique" ».
A signature based on a qualified certificate must to be made using a Secure Signature Creation Device. The
requirements of this device are defined in the article 4 of « "Règlement grand-ducal du 1er juin 2001 relatif aux
signatures électroniques, au paiement électronique, et à la création du comité "commerce électronique” ».
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 6 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
Note: ETSI TS 101 456:2007 is the referential which provides « Policy requirements for
certification authorities issuing qualified certificates ».
A CSP seeking accreditation, under the ETSI TS 101 456:2007 standard, must apply in
covering the six services provided in this form. A request for this kind of accreditation allows
automatically the validation of request for other types of accreditation, proposed in this form,
and according to the standard ETSI TS 102 042:2012.
The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the
system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003].
Yes
No
If yes:
EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system
EDP Audit Statement issued to the certification service provider
Note: CWA (CEN Workshop Agreement) 14167-1:2003 is the referential which provides
« Security Requirements for Trustworthy Systems Managing Certificates for Electronic
Signatures – Part 1 : System Security Requirements ».
Certification Service Provider which is a Certification Authority issuing public key
certificates in reference with a “Normalized” Certificate Policy2 (NCP)
 The Certification Authority issuing public key certificate provides these services:
Registration Service
[Standard ETSI TS 102 042:2012]
Certificate Generation Service
[Standard ETSI TS 102 042:2012]
Dissemination Service
[Standard ETSI TS 102 042:2012]
Revocation Management Service [Standard ETSI TS 102 042:2012]
Revocation Status Service
[Standard ETSI TS 102 042:2012]
Subject Device Provision Service
[Standard ETSI TS 102 042:2012]
Note: ETSI TS 102 042:2012 is the referential which provides « Policy requirements for
certification authorities issuing public key certificates ».
 The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the
system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003].
PKI Form no. 001A | 04.02.2013 | Version 03
Yes
No
If yes:
EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system
EDP Audit Statement issued to the certification service provider
The “Normalized” Certificate Policy provides a level of quality the same as that offered by qualified certificates,
without being tied to the Electronic Signature Directive (1999/93/EC) and without requiring use of a secure user
(signing or decrypting) device.
2
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 7 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
Certification Service Provider which is a Certification Authority issuing public key
certificates in reference with a Lightweight Certificate Policy3 (LCP)
 The Certification Authority issuing public key certificate provides these services:
Registration Service
[Standard ETSI TS 102 042:2012]
Certificate Generation Service
[Standard ETSI TS 102 042:2012]
Dissemination Service
[Standard ETSI TS 102 042:2012]
Revocation Management Service [Standard ETSI TS 102 042:2012]
Revocation Status Service
[Standard ETSI TS 102 042:2012]
Subject Device Provision Service
[Standard ETSI TS 102 042:2012]
 The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the
system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003].
Yes
No
If yes:
EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system
EDP Audit Statement issued to the certification service provider
Certification Service Provider which is a Certification Authority issuing public key
certificates in reference with an extended Normalized Certificate Policy4 (NCP+)
 The Certification Authority issuing public key certificate provides these services:
Registration Service
[Standard ETSI TS 102 042:2012]
Certificate Generation Service
[Standard ETSI TS 102 042:2012]
Dissemination Service
[Standard ETSI TS 102 042:2012]
Revocation Management Service [Standard ETSI TS 102 042:2012]
Revocation Status Service
[Standard ETSI TS 102 042:2012]
Subject Device Provision Service
[Standard ETSI TS 102 042:2012]
PKI Form no. 001A | 04.02.2013 | Version 03
 The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the
system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003].
Yes
No
In addition to the NCP quality level, there’s a certification policy alternative, the requirements of which may be
used where alternative levels of service can be justified through risk analysis. This alternative is referred to as the
Lightweight Certificate Policy for use where a risk assessment does not justify the additional costs of meeting the
more onerous requirements of the NCP (e.g physical presence).
3
In addition to the NCP quality level, there’s a certification policy alternative, the requirements of which may be
used where alternative levels of service can be justified through risk analysis. This alternative is referred to as the
extended Normalized Certificate (NCP+) for use where a secure user device (signing or decrypting) is considered
necessary.
4
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 8 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
If yes:
EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system
EDP Audit Statement issued to the certification service provider
Certification Service Provider which is a Certification Authority issuing public key
certificates in reference with an Extended Validation Certificate Policy5 (EVCP)
 The Certification Authority issuing public key certificate provides these services:
Registration Service
[Standard ETSI TS 102 042:2012]
Certificate Generation Service
[Standard ETSI TS 102 042:2012]
Dissemination Service
[Standard ETSI TS 102 042:2012]
Revocation Management Service [Standard ETSI TS 102 042:2012]
Revocation Status Service
[Standard ETSI TS 102 042:2012]
Subject Device Provision Service
[Standard ETSI TS 102 042:2012]
 The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the
system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003].
Yes
No
If yes:
EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system
EDP Audit Statement issued to the certification service provider
Certification Service Provider which is a Certification Authority issuing public key
certificates in reference with an enhanced Extended Validation Certificate Policy6 (EVCP+)
 The Certification Authority issuing public key certificate provides these services:
Registration Service
[Standard ETSI TS 102 042:2012]
Certificate Generation Service
[Standard ETSI TS 102 042:2012]
Dissemination Service
[Standard ETSI TS 102 042:2012]
PKI Form no. 001A | 04.02.2013 | Version 03
Revocation Management Service [Standard ETSI TS 102 042:2012]
Revocation Status Service
[Standard ETSI TS 102 042:2012]
Subject Device Provision Service
[Standard ETSI TS 102 042:2012]
5
The Extended Validation Certificate Policy (EVCP) is intended for use where provisions, additional to those
indicated in NCP, are required to issue EVCs, consistently with what is specified in the EV Certificates Guidelines
issued by the CAB Forum (http://www.cabforum.org).
6
The enhanced Extended Validation Certificate Policy (EVCP+) is intended for use where, in addition to the
requirements to issue EVCs, a secure user device (signing or devrypting) is considered necessary.
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 9 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
 The CSP is in possession of an EDP Audit Statement confirming the trustworthiness of the
system(s) used, in reference with Trustworthy Systems for CSPs [Standard CWA 141671:2003].
Yes
No
If yes:
EDP Audit Statement issued to the manufacturer/supplier of the trustworthy system
EDP Audit Statement issued to the certification service provider
Certification Service Provider which is a Time stamping Authority
[Standard ETSI TS 102 023:2008]
Note: ETSI TS 102 023:2008 is the referential which provides « Policy requirements for timestamping authorities ».
This application concerns:
an initial accreditation
a renewal of the accreditation
an extension of the scope of the accreditation
B.6. Person in charge of the organization7
full name
:
tel
:
e-mail
:
PKI Form no. 001A | 04.02.2013 | Version 03
B.7. Contact for the Digital Trust Department of ILNAS8
full name
:
position
:
tel
:
fax
:
e-mail
:
7
Person who will report to the Digital Trust Department of ILNAS in relation to drawing up and circulating
documents of a contractual nature (declaration, scope of the application for accreditation, etc.).
8
Person who will report to the Digital Trust Department of ILNAS in relation to scheduling audits, exchanges of
information and documents.
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 10 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
B.8. List of accreditations or approvals issued by an authority, obtained or envisaged, at
national or international level
(Please indicate the body which issued the accreditation, the certificate policy level, the CSP service concerned, the dates of
obtaining this and, if applicable, the expiry date as well as that of the next surveillance.)
C. Documents to be attached to the application:
 1 copy of the certificate policy;
 1 copy of the public certification practice statement;
PKI Form no. 001A | 04.02.2013 | Version 03
 1 copy of the EDP Audit Statement confirming the trustworthiness of the system(s) used.
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 11 of 12
Digital Trust Department
Application to grant, extend or renew an accreditation for a
Certification Service Provider
D. APPENDIX 1
PKI Form no. 001A | 04.02.2013 | Version 03
Certificate Policy level
CSP Service concerned
Date of the beginning of
the service
Business premises
(Address & location)
The updated version of this template is available on www.ilnas.lu
The printed versions are not managed.
Page 12 of 12
Download