ETSI TR 102 040 V1.1.1 (2002-03)

SLOVENSKI STANDARD
SIST-TP ETSI/TR 102 040 V1.1.1:2005
01-maj-2005
Mednarodna uskladitev politike zahtev za overitelje (certifikacijske
agencije/organe), ki izdajajo certifikate
International Harmonization of Policy Requirements for CAs issuing Certificates
Ta slovenski standard je istoveten z: TR 102 040 Version 1.1.1
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST-TP ETSI/TR 102 040 V1.1.1:2005 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TP ETSI/TR 102 040 V1.1.1:2005

---------------------- Page: 2 ----------------------

SIST-TP ETSI/TR 102 040 V1.1.1:2005

ETSI TR 102 040 V1.1.1 (2002-03)
Technical Report


International Harmonization
of Policy Requirements for CAs issuing Certificates

---------------------- Page: 3 ----------------------

SIST-TP ETSI/TR 102 040 V1.1.1:2005
 2 ETSI TR 102 040 V1.1.1 (2002-03)



Reference
DTR/SEC-004015
Keywords
e-commerce, electronic signature, public key,
trust services, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, send your comment to:
editor@etsi.fr
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2002.
All rights reserved.

ETSI

---------------------- Page: 4 ----------------------

SIST-TP ETSI/TR 102 040 V1.1.1:2005
 3 ETSI TR 102 040 V1.1.1 (2002-03)
Contents
Intellectual Property Rights.4
Foreword.4
1 Scope.5
2 References.5
3 Definitions and abbreviations.5
3.1 Definitions.5
3.2 Abbreviations.6
4 Objective.6
5 Relevant activities.6
5.1 Introduction.6
5.2 IETF PKIX policy and practices framework.6
5.3 ISO SC27 TTP guidelines .7
5.4 ABA PKI assessment guidelines .7
5.5 APEC TEL eSTG .7
5.6 ANSI X9.79 - PKI policy and practices framework.7
5.7 ISO TC68 - PKI policy and practices framework .8
6 Recommendations.8
History .9

ETSI

---------------------- Page: 5 ----------------------

SIST-TP ETSI/TR 102 040 V1.1.1:2005
 4 ETSI TR 102 040 V1.1.1 (2002-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Security (SEC).
ETSI

---------------------- Page: 6 ----------------------

SIST-TP ETSI/TR 102 040 V1.1.1:2005
 5 ETSI TR 102 040 V1.1.1 (2002-03)
1 Scope
The present document presents the results of ongoing work to harmonize existing ETSI technical specification on policy
requirements for certification authorities (TS 101 456 [1] and TS 102 042 [2]) with other internationally recognized
standards and related activities.
The aim of the present document is to identify the way forward to meet the requirements of European Electronic
Signature Directive 1999/93/EC [5] whilst operating within an internationally harmonized certificate policy framework
to facilitate cross recognition between PKI policy environments.
2 References
For the purposes of this Technical Report (TR) the following references apply:
[1] ETSI TS 101 456: "Policy requirements for certification authorities issuing qualified certificates".
[2] ETSI TS 102 042: "Policy requirements for certification authorities issuing public key
certificates".
[3] RFC 2527: "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices
Framework".
[4] ISO/IEC 14516: "Information technology - Security techniques - Guidelines on the use and
management of Trusted Third Party services".
[5] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a
Community framework for electronic signatures.
[6] American Bar Association: "PKI Assessment Guidelines (PAG)".
[7] ANSI X9.79: "Public Key Infrastructure (PKI) Practices and Policy Framework".
[8] ISO/TC68/SC2 N1140 - New Work Item Proposal - Public Key Infrastructure for Financial
Services - Practices and Policy Framework.
NOTE: This work item has been agreed and the resulting standard has been designated the identifier ISO 21188.
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
certificate: public key of a user, together with some other information, rendered un-forgeable by encipherment with the
private key of the certification authority which issued it
certificate policy: named set of rules that indicates the applicability of a certificate to a particular community and/or
class of application with common security requirements
certification authority: authority trusted by one or more users to create and assign certificates
certification practice statement: statement of the practices which a certification authority employs in issuing
certificates
ETSI

---------------------- Page: 7 ----------------------

SIST-TP ETSI/TR 102 040 V1.1.1:2005
 6 ETSI TR 102 040 V1.1.1 (2002-03)
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ABA American Bar Association
ANSI American National Standards Institute
APEC Asia-Pacific Economic Community
CA Certification Authority
EESSI European Electronic Signature Standardization Initiative
IETF Internet Engineering Task Force
ISO International Organization for Standardization
PAG PKI Assessment Guidelines (document published by the ABA [6])
PKI Public Key Infrastructure
4 Objective
The major objective of the present document on international certificate policy harmonization is that other
internationally recognized policies are harmonized with CA policy requirements which meet the requirements of
European electronic signature Directive [5] and other equivalents which are not constrained by the European legal
framework.
Thus, the main aim of harmonization is:
- To ensure that European CAs, both operating within the framework of European Directive and more generally,
have at least equal recognition in the wider international marketplace;
- To ensure that certification schemes accredited under the internationally recognized standards are recognized to
meet the security and management re
...