ESI * ESI FAQ

FAQ on ETSI ESI standards

This FAQ covers topics that are within the scope of ETSI ESI Technical Committee.

Outside scope of this FAQ are questions and answers about: 

  • European Directive itself 
  • European Electronic Signature Standardisation Initiative (EESSI). 
  • CEN activities under EESSI. 
  • Digital signatures 
  • National interpretation of the European Directive

This FAQ is not a tutorial document.

Intended Audience

The audience of the FAQ is anybody who might be thinking of using the standards developed by ETSI ESI .  It is assumed that the audience will be mainly people with some technical knowledge. 

List of FAQ

What is the scope of the following FAQs? 
 
What is a qualified certificate all about? 
 
How can I be assured that a CA meets the requirements of the EU Directive for the issuance of Qualified Certificates?  
 
How can I be assured that a certificate is a qualified certificate? 
 
Do I need to appear before a Registration Authority to get a qualified certificate? 
 
I am a subscriber; what do I need to know about qualified certificates? 
 
I am a subscriber; after the issuance and until the expiration date of the qualified certificate do I need to contact the CA again? 

I am a subscriber; it sounds like I have a lot of obligations. Where do I find out what they are? Is it on the qualified certificate? 
 
I am a subscriber; what happens to my personal data that I submit to the CA? 
 
I am a relying party; do I need to check the certificate revocation status of a Qualified Certificate? 
 
I am a relying party; what might I be required to know if I am to rely on a Qualified Certificate? 
 
I am a CA; what are my obligations towards subscribers and relying parties? 
 
Is TS 101 456 applicable to CAs issuing CA certificates? 
 
What is a signature policy, in simple terms? 
 
Why are there two standards (TS 101 903 and TS 101 733) defining an electronic signature format? 
 
How to validate an electronic signature against a signature policy? 
 
What is a qualified electronic signature? 

What is PAdES?

Question: What is the scope of the following FAQs?

Answer: The scope is to answer some of the most frequently asked question about the ETSI standards developed within the scope of EESSI. ETSI takes no responsibility regarding the legal status of any of the answers to the FAQ.  The appropriateness of any ETSI standards to the EU directive has not yet achieved any formal approval, and any final assessment as to the their use lies not within the Directive but within individual countries’ legislations.
  

Question: What is a qualified certificate all about? 

Answer: Qualified certificates support the usage of Qualified Electronic Signatures that are equivalent to handwritten signatures where law mandates them. It is defined in EC Directive 1999/93/EC on electronic signatures (Annex I) and should be issued by a CA that conforms to Annex II of EC Directive 1999/93/EC. It is a certificate that is intended to give a relying party stronger assurance that a signature made with the corresponding private key is valid. A qualified certificate is identified as such either via a specific code, or if one of its fields points to a Certificate Policy that specifies that it is relevant to qualified certificates.
 

Question: How can I be assured that a CA meets the requirements of the EU Directive for the issuance of Qualified Certificates?

Answer: There are several ways to do this. For example national legislation requirements on CAs, or the CA’s membership of a recognised approval scheme may provide it.

Question: How can I be assured that a certificate is a qualified certificate? 

Answer: Firstly the certificate has to be examined to check whether it contains a specific extension indicating that it is a Qualified Certificate or a specific identifier for a certificate policy recognised as supporting requirements for issuing Qualified Certificates such as that defined in TS 101 456. Secondly you also need to be assured that a CA meets the requirements of the EU Directive for the issuance of Qualified Certificates (see previous question and answer).
 

Question: Do I need to appear before a Registration Authority to get a qualified certificate?

Answer: Not necessarily provided that at some time that body has made appropriate checks against you in person, or someone else is able to provide evidence to that body of your identity and evidence of explicit prior approval by you of the terms and conditions that you must accept. In some cases existing registrations, like for example with a Bank, a professional association etc. may suffice to have a qualified certificate issued. In any case a CA has to comply with appropriate national laws regarding identification of citizens this may place specific subscriber identification and verification requirements on the CA.
  

Question: I am a subscriber; what do I need to know about qualified certificates?

Answer: Qualified certificates support the usage of Qualified Electronic Signatures that are equivalent to handwritten signatures where law mandates them. As a subscriber you may have certain responsibilities passed on to you from a CA, they could include the requirement to:

  • submit accurate and complete information to the CA regarding your registration.
  • only use the key pair for electronic signatures.
  • make sure you check any  limitations to the usage of the key pair as notified.m
  • make sure that nobody else can make use of  your private key.
  • immediately notify the CA of any compromise, loss, theft etc of the key or the PIN to it.
  • immediately notify the CA of any changes in the certificate data e.g. name
  • make use of a secure signature creation device deemed conformant to the requirements set forth in Directive 1999/93/EC (Annex III) by “appropriate public or private bodies designated by Member States.” (quotation from section 3(4))

Question: I am a subscriber; after the issuance and until the expiration date of the qualified certificate do I need to contact the CA again?

Answer: In principle no. Only in case of:

  • compromised, loss, theft, etc. of the key or the PIN to it.
  • changes in the registration data, e.g. new address etc.

 Question: I am a subscriber; it sounds like I have a lot of obligations. Where do I find out what they are? Is it on the qualified certificate?

Answer: Not quite. The CA should make all your obligations clear to you when you subscribe to their service in the terms and conditions included in the subscriber agreement. This will in no way negate your consumer rights as a subscriber.
 

Question: I am a subscriber; what happens to my personal data that I submit to the CA? 

Answer:  The personal data submitted to the CA is used to validate the identity used in the certificate issued by the CA.  In addition, the CA maintains a record of the information provided.  The CA is obliged to conform to its government’s national implementation of the EU regulations on the protection of personal data.
 

Question: I am a relying party; do I need to check the certificate revocation status of a Qualified Certificate?

Answer: Yes.
 

Question: I am a relying party; what might I be required to know if I am to rely on a Qualified Certificate?

Answer: Parts of the terms and conditions, made available to subscribers, are made available by the issuing Certification Authority to relying parties e.g. via their web site.
 

Question: I am a CA; what are my obligations towards subscribers and relying parties?

Answer: The obligations are defined in the certificate policy.
 

Question: Is TS 101 456 applicable to CAs issuing CA certificates?

Answer: Presently no specific policy document exists for CA certificates for a CA issuing Qualified Certificates.  However, the general principles of TS 101 456 and many of the detailed requirements of TS 101 456 would be applicable. Some of the specific details would need to be adapted for CA certificates, particularly with regards to registration and physical presence.
 

Question: What is a signature policy, in simple terms?

Answer: A signature policy is a set of rules under which the electronic signature can be created and determined to be valid. This means that if I sign using a particular signature policy, I must know and apply the precise rules at the time of signature creation. When you validate a signature under a particular signature policy, you must conform to the required validation rules of the policy for the signature to be properly shown to be valid.
 

Question: Why are there two standards (TS 101 903 and TS 101 733) defining an electronic signature format?

Answer: There is a justification for each format. TS 101 903 applies where XML signatures are used and where signatures need to be applied on portions of an XML documents. TS 101 733 most likely applies where attachments are used and allows signatures to be applied on a whole document, whatever the type of the document may be.

Question: How to validate an electronic signature against a signature policy?

Answer: Look for the signature policy to find out the validation rules and follow the rules.

Question:  What is a qualified electronic signature?

Answer: A qualified electronic signature is an advanced electronic signature (as defined in the Electronic Signature Directive) which is based on a qualified certificate and which is created by a secure-signature-creation device (i.e. a signature as described in article 5.1 of the Electronic Signature Directive).