Certification Authorities and other Trust Service Providers
1. Introduction
ETSI addresses requirements for Trust Services under the European eIDAS regulation 910/2014 and new requirements in the upcoming eIDAS 2 amendment to this regulation on European Digital Identity Framework. A Trust Service is a third party service used to support identification, authentication and signatures for exchanges over public networks. The most widely used type of trusted service is a Certification Authority which uses public key technology to support identification, authentication and signatures.
The eIDAS regulation recognises the following types of trust service providers:
- Certification Authorities issuing certificates for digital signatures supporting electronic signatures and seals (see ETSI page on digital signatures);
- Certification Authorities issuing certificates to support website authentication, aligned with the requirements of the CA/Browser Forum as recognised by all the major Web Browser Vendors;
- Time-stamping authorities providing proof of existence of a data object (including signed documents) at a given time;
- Providers of services for the validation and preservation of signed data;
- Providers of services for registered electronic delivery including registered electronic mail.
This has been extended in eIDAS 2 with the definition of a new form of national electronic identifier, equivalent to national identity card, called the EU Digital Identity Wallet. Alongside this, eIDAS also supports the provision of trust services for:
- Electronic Attestation of Attributes relating attributes and credentials to identified persons;
- Creation of electronic signatures and seals using remote signing devices held in the cloud, as opposed to, for example, locally held smart card;
- Electronic Archiving;
- Electronic Ledgers.
ETSI is developing standards for interfacing to the EU Digital Identity Wallet and support of the other new trust services.
2. Current ETSI Standards
The current standards for Certification and Other Trust Service Providers are listed in the TC ESI Activities page.
3. Trusted Lists and Other Nationally Maintained Information
EU Member States and other European nations generally maintain lists of CAs and other TSPs in one or more nationally maintained registers.
EU Member States trusted list as defined in Regulation (EU) No 910/2014 include information related to the qualified trust service providers which are supervised by the competent Member State, together with information related to the qualified trust services provided by them, in accordance with the relevant provisions laid down in the Regulation.
Trusted lists are essential elements in building trust among electronic market operators by allowing users to determine the qualified status and the status history of trust service providers and their services. Under eIDAS Regulation, national trusted lists have a constitutive effect. In other words, a provider/service will be qualified only if it appears in the trusted lists. Consequently, the users (citizens, businesses or public administrations) will benefit from the legal effect associated with a given qualified trust service only if the latter is listed (as qualified) in the trusted lists.
The trusted lists of Member States include, as a minimum, information specified in Articles 1 and 2 of Commission Implementing Decision (EU) 2015/1505 profiling technical specifications defined in ETSI TS 119 612 v2.1.1.
Member States may include in the trusted lists information on non-qualified trust service providers and on other nationally defined trust services.
To allow access to the trusted lists of all Member States in an easy and trustworthy manner, the European Commission publishes a central list with links to the locations where the trusted lists are published as notified by Member States to the EC. This central list, called the List Of Trusted Lists (LOTL), is available as a signed or sealed XML machine-processable form (hereafter the LOTL) at the following URL: https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
Also some Trusted Lists viewers are available as follows:
4. Qualified Certificates
For EU countries the information on CAs issuing qualified certificates are held in Trusted Lists (see 3 above).
5. Conformity Assessment Bodies
Conformity assessment bodies are accredited by national accreditation bodies. The relevant national accreditation body can be contacted to determine the status of a conformity assessment body (i.e. whether the conformity assessment body is accredited to perform ETSI audits by the national accreditation body). National accreditation bodies can be found on the European Co-operation for Accreditation web site and/or the International Accreditation Forum web site.
Informative list of conformity assessment bodies (CABs) accredited against the requirements of the eIDAS Regulation: The information included in the list comes from the National Accreditation Bodies (NAB) who have notified the European Commission.
For any comments and/or suggestions on this web page, please drop us a line to ESIsupport@etsi.org
Related Technical Bodies: Electronic Signatures and Trust Infrastructures (ESI).