FAQ
on ETSI ESI standards
Scope of this document
The FAQ in this
document cover topics that are within the scope of the standardisation tasks
that ETSI have been assigned under European Electronic Signature Standardisation
Initiative.
Outside scope of this document are questions and answers about:
- European
Directive itself
- European
Electronic Signature Standardisation Initiative (EESSI).
- CEN
activities under EESSI.
- Digital
signatures
- National
interpretation of the European Directive
This document is
not a tutorial document.
Intended Audience
The audience of
the FAQ is anybody who might be thinking of using the standards developed by the
ETSI ESI WG under the EESSI mandate. It
is assumed that the audience will be mainly people with some technical
knowledge.
List of FAQ
What is the scope of
the following FAQs?
What
is a qualified certificate all about?
How can
I be assured that a CA meets the requirements of the EU Directive for the
issuance of Qualified Certificates?
How
can I be assured that a certificate is a qualified certificate?
Do
I need to appear before a Registration Authority to get a qualified certificate?
I am a
subscriber; what do I need to know about qualified certificates?
I am a
subscriber; after the issuance and until the expiration date of the qualified
certificate do I need to contact the CA again?
I am
a subscriber; it sounds like I have a lot of obligations. Where do I find out
what they are? Is it on the qualified certificate?
I am a subscriber; what happens to my personal
data that I submit to the CA?
I
am a relying party; do I need to check the certificate revocation status of a
Qualified Certificate?
I am a
relying party; what might I be required
to know if I am to rely on a Qualified Certificate?
I am a
CA; what are my obligations towards subscribers and relying parties?
Is TS 101
456 applicable to CAs issuing CA certificates?
What
is a signature policy, in simple terms?
Why are
there two standards (TS 101 903 and TS 101 733) defining an electronic signature
format?
How to
validate an electronic signature against a signature policy?
What is a qualified electronic signature?
Question:
What is the scope of the following FAQs?
Answer: The scope is to
answer some of the most frequently asked question about the ETSI standards
developed within the scope of EESSI. ETSI takes no responsibility regarding the
legal status of any of the answers to the FAQ.
The appropriateness of any ETSI standards to the EU directive has not yet
achieved any formal approval, and any final assessment as to the their use lies
not within the Directive but within individual countries’ legislations.
Question:
What is a qualified certificate all about?
Answer:
Qualified certificates support the usage of Qualified Electronic Signatures that
are equivalent to handwritten signatures where law mandates them. It is defined
in EC Directive 1999/93/EC on electronic signatures (Annex I) and should be
issued by a CA that conforms to Annex II of EC Directive 1999/93/EC. It is a
certificate that is intended to give a relying party stronger assurance that a
signature made with the corresponding private key is valid. A qualified
certificate is identified as such either via a specific code, or if one of its
fields points to a Certificate Policy that specifies that it is relevant to
qualified certificates.
Question:
How can I be assured that a CA meets the requirements of the EU Directive for
the issuance of Qualified Certificates?
Answer: There are several
ways to do this. For example national legislation requirements on CAs, or the
CA’s membership of a recognised approval scheme may provide it.
Question:
How can I be assured that a certificate is a qualified certificate?
Answer: Firstly the
certificate has to be examined to check whether it contains a specific extension
indicating that it is a Qualified Certificate or a specific identifier for a
certificate policy recognised as supporting requirements for issuing Qualified
Certificates such as that defined in TS 101 456. Secondly you also need to be
assured that a CA meets the requirements of the EU Directive for the issuance of
Qualified Certificates (see previous question and answer).
Question:
Do I need to appear before a Registration Authority to get a qualified
certificate?
Answer: Not necessarily
provided that at some time that body has made appropriate checks against you in
person, or someone else is able to provide evidence to that body of your
identity and evidence of explicit prior approval by you of the terms and
conditions that you must accept. In some cases existing registrations, like for
example with a Bank, a professional association etc. may suffice to have a
qualified certificate issued. In any case a CA has to comply with appropriate
national laws regarding identification of citizens this may place specific
subscriber identification and verification requirements on the CA.
Question:
I am a subscriber; what do I need to know about qualified certificates?
Answer: Qualified
certificates support the usage of Qualified Electronic Signatures that are
equivalent to handwritten signatures where law mandates them. As a subscriber
you may have certain responsibilities passed on to you from a CA, they could
include the requirement to:
- submit
accurate and complete information to the CA regarding your registration.
- only
use the key pair for electronic signatures.
- make
sure you check any limitations
to the usage of the key pair as notified. .
- make
sure that nobody else can make use of your
private key.
- immediately
notify the CA of any compromise, loss, theft etc of the key or the PIN to
it.
- immediately
notify the CA of any changes in the certificate data e.g. name
- make
use of a secure signature creation device deemed conformant to the
requirements set forth in Directive 1999/93/EC (Annex III) by “appropriate public or
private bodies designated by Member States.” (quotation from section 3(4))
Question:
I am a subscriber; after the issuance and until the expiration date of the
qualified certificate do I need to contact the CA again?
Answer: In principle no.
Only in case of:
- compromised,
loss, theft, etc. of the key or the PIN to it.
- changes
in the registration data, e.g. new address etc.
Question:
I am a subscriber; it sounds like I have a lot of obligations. Where do I find
out what they are? Is it on the qualified certificate?
Answer:
Not quite. The CA should make all your obligations clear to you when you
subscribe to their service in the terms and conditions included in the
subscriber agreement. This will in no way negate your consumer rights as a
subscriber.
Question: I am a
subscriber; what happens to my personal data that I submit to the CA?
Answer: The personal data
submitted to the CA is used to validate the identity used in the certificate
issued by the CA. In addition, the
CA maintains a record of the information provided.
The CA is obliged to conform to its government’s national
implementation of the EU regulations on the protection of personal data.
Question:
I am a relying party; do I need to check the certificate revocation status of a
Qualified Certificate?
Answer: Yes.
Question:
I am a relying party; what might I be
required to know if I am to rely on a Qualified Certificate?
Answer: Parts of the terms
and conditions, made available to subscribers, are made available by the issuing
Certification Authority to relying parties e.g. via their web site.
Question:
I am a CA; what are my obligations towards subscribers and relying parties?
Answer: The obligations are
defined in the certificate policy.
Question:
Is TS 101 456 applicable to CAs issuing CA certificates?
Answer: Presently no
specific policy document exists for CA certificates for a CA issuing Qualified
Certificates. However, the general
principles of TS 101 456 and many of the detailed requirements of TS 101 456
would be applicable. Some of the specific details would need to be adapted for
CA certificates, particularly with regards to registration and physical
presence.
Question:
What is a signature policy, in simple terms?
Answer: A signature policy
is a set of rules under which the electronic signature can be created and
determined to be valid. This means that if I sign using a particular signature
policy, I must know and apply the precise rules at the time of signature
creation. When you validate a signature under a particular signature policy, you
must conform to the required validation rules of the policy for the signature to
be properly shown to be valid.
Question:
Why are there two standards (TS 101 903 and TS 101 733) defining an electronic
signature format?
Answer: There is a
justification for each format. TS 101 903 applies where XML signatures are used
and where signatures need to be applied on portions of an XML documents. TS 101
733 most likely applies where attachments are used and allows signatures to be
applied on a whole document, whatever the type of the document may be.
Question:
How to validate an electronic signature against a signature policy?
Answer: Look for the
signature policy to find out the validation rules and follow the rules.
Question: What is a qualified electronic signature?
Answer: A
qualified electronic signature is an advanced
electronic signature (as defined in the Electronic Signature Directive) which is
based on a qualified certificate and which is created by a
secure-signature-creation device (i.e. a signature as described in article 5.1
of the Electronic Signature Directive).
|
