ETSI TS 102 231 V1.1.1 (2003-10)

SLOVENSKI STANDARD
01-maj-2005
Elektronski podpisi in infrastruktura (ESI) - Zagotavljanje usklajenih statusnih
informacij ponudnikov storitev zaupanja
Electronic Signatures and Infrastructures (ESI) - Provision of harmonized Trust Service
Provider status information
Ta slovenski standard je istoveten z: ETSI TS 102 231 V1.1.1 (2003-10)
ICS:
03.080.99 Druge storitve Other services
35.040.01 Kodiranje informacij na Information coding in general
splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

Technical Specification
Electronic Signatures and Infrastructures (ESI);
Provision of harmonized Trust Service Provider
status information
�
2 ETSI TS 102 231 V1.1.1 (2003-10)

Reference
DTS/ESI-000010
Keywords
e-commerce, electronic signature, security,
trust services
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, send your comment to:
editor@etsi.org
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2003.
All rights reserved.
TM TM TM
DECT , PLUGTESTS and UMTS are Trade Marks of ETSI registered for the benefit of its Members.
TM
TIPHON and the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI
3 ETSI TS 102 231 V1.1.1 (2003-10)
Contents
Intellectual Property Rights.7
Foreword.7
Introduction .7
1 Scope.8
2 References.8
3 Definitions and abbreviations.8
3.1 Definitions.8
3.2 Abbreviations.9
4 TSP status information.9
5 Trust-service Status List structure.10
5.1 Structure of the Trust-service Status List .10
5.1.1 Trust-service Status List information.11
5.2 Scheme information.13
5.2.1 TSL version identifier.13
5.2.2 TSL sequence number.13
5.2.3 Signature algorithm identifier.13
5.2.4 Scheme name.13
5.2.5 Scheme operator address .13
5.2.5.1 Scheme operator postal address .14
5.2.5.2 Scheme operator electronic address .14
5.2.6 Scheme information URN .14
5.2.7 Status determination approach.14
5.2.8 Scheme type/community.15
5.2.9 Scheme territory.15
5.2.10 TSL policy/legal notice.15
5.2.11 Historical information period.15
5.2.12 Pointers to other TSLs .16
5.2.13 List issue date and time.16
5.2.14 Next update.16
5.2.15 List of Trust Service Providers .16
5.3 TSP information.16
5.3.1 TSP name.16
5.3.2 TSP trade name.17
5.3.3 TSP address.17
5.3.3.1 TSP postal address .17
5.3.3.2 TSP electronic address .17
5.3.4 TSP information URN .17
5.3.5 List of services.18
5.4 Service information.18
5.4.1 Service type identifier.18
5.4.2 Service name.18
5.4.3 Service digital identity .19
5.4.4 Service current status .19
5.4.5 Current status starting date and time.20
5.4.6 Scheme service definition URN.21
5.4.7 TSP service definition URN .21
5.4.8 Service approval history .21
5.5 History information.21
5.5.1 Service type identifier.21
5.5.2 Service name.21
5.5.3 Service digital identity .22
5.5.4 Service previous status.22
5.5.5 Previous status starting date and time.22
ETSI
4 ETSI TS 102 231 V1.1.1 (2003-10)
5.6 Signature.22
5.6.1 Signed TSL.22
5.6.2 Scheme operator identification .22
5.6.3 Signature algorithm identifier.22
5.6.4 Signature value.23
5.7 Trust-service Status List tag .23
5.7.1 Tagged TSL.23
5.7.2 TSL tag.23
Annex A (normative): Implementation in ASN.1 .24
A.1 Trust-service Status List tag.24
A.2 Scheme information.24
A.2.1 TSL version identifier .24
A.2.2 TSL sequence number.24
A.2.3 Signature algorithm identifier.25
A.2.4 Scheme name.25
A.2.5 Scheme operator address .25
A.2.6 Scheme information URN .25
A.2.7 Status determination approach .25
A.2.8 Scheme type/community.25
A.2.9 Scheme territory.26
A.2.10 TSL policy/legal notice.26
A.2.11 Historical information period .26
A.2.12 Pointers to other TSLs.26
A.2.13 List issue date and time .26
A.2.14 Next update.26
A.2.15 List of Trust Service Providers.27
A.3 TSP service information.27
A.3.1 Service digital identity.28
A.4 History information.28
A.5 Signature.28
Annex B (normative): Implementation in XML .29
B.1 XML-namespace and basic types.29
B.1.1 The InternationalNames Type .29
B.1.2 The AddressType Type .30
B.1.3 The PostalAddressListType Type .30
B.1.4 The PostalAddress Type .30
B.1.5 The ElectronicAddressType Type.30
B.2 The TrustserviceStatusList element .31
B.3 The SchemeInformation element .31
B.3.1 The TSLVersionIdentifier element.31
B.3.2 The TSLSequenceNumber element.31
B.3.3 The SignatureAlgorithmIdentifier element.32
B.3.4 The SchemeName element .32
B.3.5 The SchemeOperatorAddress element .32
B.3.6 The SchemeInformationURN element.32
B.3.7 The StatusDeterminationApproach element.32
B.3.8 The SchemeType element.32
B.3.9 The SchemeTerritory element.33
B.3.10 The PolicyOrLegalNotice element.33
B.3.11 The HistoricalInformationPeriod element .33
B.3.12 The PointersToOtherTSL element .33
B.3.13 The ListIssueDateTime element .34
B.3.14 The NextUpdate element.34
B.3.15 The TrustServiceProvider element .34
ETSI
5 ETSI TS 102 231 V1.1.1 (2003-10)
B.4 The TSPInformation element.35
B.4.1 The TSPName element .35
B.4.2 The TSPTradeName element .35
B.4.3 The TSPAddress element.35
B.4.4 The TSPInformationURI element .35
B.4.5 The TSPServices element .36
B.5 The ServiceInformation element .36
B.5.1 The ServiceTypeIdentifier element .36
B.5.2 The ServiceName element.37
B.5.3 The ServiceDigitalIdentity element.37
B.5.4 The ServiceStatus element.37
B.5.5 The StatusStartingTime element .37
B.5.6 The SchemeServiceDefinitionURI element .38
B.5.7 The TSPServiceDefinitionURI element.38
B.5.8 The ServiceHistory element .38
B.6 The ServiceHistory type .38
B.7 The Signature element .39
B.8 The TSLTag element.39
Annex C (informative): Implementation considerations .40
C.1 General.40
C.2 What is a Service?.40
C.3 TSL publication.40
C.3.1 Scoping the TSL population.40
C.3.2 Publication guidelines.41
C.3.2.1 Provision of the scheme operator's public (verification) key.41
C.3.2.2 Publication of the TSL.41
C.3.2.3 Security issues.41
C.3.2.4 Identifying TSPs.42
C.4 Locating a TSL.42
C.4.1 TSL location models.43
C.4.1.1 Bound information.43
C.4.1.2 Linked information.43
C.4.1.3 De-coupled information.44
C.4.2 Searching for a TSL .44
C.4.2.1 Same-scheme searching.44
C.4.2.2 Known scheme searching.44
C.4.2.3 "Blind" (unknown) scheme searching.45
C.5 Verifying a TSL .45
C.5.1 Further verification issues .46
C.6 Management and performance of TSL provision.46
C.6.1 Change of scheme administrative information .46
C.6.2 Change of TSP administrative information .47
C.6.3 Change of trust-service status.47
C.6.4 Amendment response times.47
C.6.5 On-going verification of authenticity .48
C.6.6 Upon a scheme's cessation of operations.48
C.6.7 User reference to TSL .48
C.6.8 Reliance upon hard-copy TSL information .48
Annex D (informative): Example queries and responses.49
D.1 General.49
D.2 Example 1.49
D.2.1 Scenario.49
ETSI
6 ETSI TS 102 231 V1.1.1 (2003-10)
D.2.2 Query.49
D.2.3 TSL interpretation and query response.50
D.3 Example 2.50
D.3.1 Scenario.50
D.3.2 Query.50
D.3.3 TSL interpretation and query response.50
D.4 Example 3.50
D.4.1 Scenario.50
D.4.2 Query.51
D.4.3 TSL interpretation and query response.51
D.5 Example 4.52
D.5.1 Scenario.52
D.5.2 Query.52
D.5.3 TSL interpretation and query response.52
Annex E (informative): Rationales for TSL fields.53
Annex F (normative): XML schema .57
Annex G (informative): Bibliography.58
History .59

ETSI
7 ETSI TS 102 231 V1.1.1 (2003-10)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and
Infrastructures (ESI).
Introduction
The purpose of a Trust-service Status List (TSL), and hence of the present document, is to provide a harmonized way in
which schemes having an oversight role with regards to trust services and their providers (trust service providers -
TSPs) can publish information about the services and TSPs which they currently oversee, or indeed (through the
provision of historical information) have overseen.
The present document is based upon the reasoning that it will enhance the confidence of parties relying on certificates
or other services related to electronic signatures if they had access to information that would allow them to know
whether a given TSP was operating under the approval of any recognized at the time of providing their services and of
any dependent transaction that took place.
The information should be available for a wide range of services and schemes, including the use of Qualified
Certificates. The importance of this information is especially significant for cross-domain and international transactions.
This information should preferably be accessible using an on-line protocol, although accessibility both off-line and on-
line should be possible.
Entities having such an oversight role could be supervisory systems or voluntary approval schemes as defined in
Directive 1999/93/EC (see bibliography), similar schemes established by other sovereign states or economies
(e.g. certain government e-authentication frameworks), and those established by specific industry sectors or for
international promotion of trust services.
ETSI
8 ETSI TS 102 231 V1.1.1 (2003-10)
1 Scope
The present document specifies a standard for a Trust-service Status List making available trust service status
information. In addition, it gives guidelines for access to and the use of such status information.
The present document is applicable to scheme operators responsible for the approval of trust services and to those who
wish to rely on such information.
2 References
The following documents contain provisions which, through reference in this text, constitute provisions of the present
document.
• References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• For a non-specific reference, the latest version applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
[1] ISO 639-1: "Codes for the representation of names of languages - Part 1: Alpha-2 code".
[2] IETF RFC 1766: "Tags for the Identification of Languages".
[3] ISO 3166-1: "Codes for the representation of names of countries and their subdivisions -
Part 1: Country codes".
[4] IETF RFC 2396: "Uniform Resource Identifiers (URI): Generic Syntax".
[5] ITU-T Recommendation X.509: "Information technology - Open Systems Interconnection - The
Directory: Public-key and attribute certificate frameworks".
[6] IETF RFC 2253: "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of
Distinguished Names".
[7] IETF RFC 2141: "URN Syntax".
[8] ITU-R Recommendation TF.460-5: "Standard-Frequency and Time-Signal Emissions".
[9] IETF RFC 3280: " Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
approval: assertion that a(n electronic trust) service, falling within the oversight of a particular scheme, has been either
positively endorsed (active approval) or has received no explicit restriction since the time at which the scheme was
aware of the existence of the said service (passive approval)
(electronic) trust service: service which enhances trust and confidence in electronic transactions (typically but not
necessarily using cryptographic techniques or involving confidential material)
ETSI
9 ETSI TS 102 231 V1.1.1 (2003-10)
scheme: any organized process of supervision, monitoring, approval or such practices that are intended to apply
oversight with the objective of ensuring adherence to specific criteria in order to maintain confidence in the services
under the scope of the scheme
scheme operator: body responsible for the operation and/or management of any kind of scheme, whether they be
governmental, industry or private, etc.
Trust Service Provider (TSP): body operating one or more (electronic) trust services
NOTE: This embraces a wide range of services which may relate to electronic signatures and is broader than the
provision of certification services alone, and hence is used in preference to and with a broader application
than, the term certification-service-provider used in Directive 1999/93/EC.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ASN Abstract Syntax Notation
CA Certification Authority
CRL Certificate Revocation List
EU European Union
OCSP Online Certificate Status Protocol
PKC Public Key Certificate
PKI Public Key Infrastructure
TSL Trust-service Status List
TSP Trust Service Provider
URI Uniform Resource Identifier
URN Uniform Resource Name
UTC Coordinated Universal Time
WWW World Wide Web
XML eXtensible Markup Language
4 TSP status information
The present document specifies a standard for the provision of trust service status information. In recognition of the
selection of a form of signed list as the basis for presentation of this information, the term Trust-service Status List
(TSL) is adopted. Each scheme which maintains a TSL in accordance with the present document must comply with the
format and semantics specified in clause 5. Each such scheme must operate against specific criteria for determining the
status of TSPs and trust services which it recognizes: a scheme operator could, therefore, operate more than one discrete
scheme.
It should be noted that the present document addresses only the type, format and meaning of information which may be
presented in a TSL and does not define how that information should be sourced. Nor does it specify the criteria which
schemes should use to determine the status of any trust services falling within their remit - such criteria remain the
responsibility of the scheme operators. Furthermore, it does not specify how any status or scheme-related information
should be presented outside the context of a TSL, e.g. on schemes' websites.
Each scheme adopting this TSL standard must be able to support the provision of status information in each of the
following forms:
• Human readable in hard-copy form;
• Human readable in a format readily down-loadable and printable;
• Machine processable to allow automatic verification of status information.
ETSI
10 ETSI TS 102 231 V1.1.1 (2003-10)
The TSL specified by the present document accommodates the requirement as to "whether the provider of a trust
service is or was operating under the approval of any recognized scheme at either the time the service was provided, or
the time at which a transaction reliant on that service took place". In order to fulfil this requirement, Trust-service
Status Lists must necessarily contain information from which it can be established whether the TSP's service was, at the
time of the transaction, known by the scheme operator and if so the status of the service, i.e. whether it was approved,
suspended, cancelled, revoked, etc. The Trust-service Status List must therefore contain not only the service's current
status, but also the history of its status. The TSL must therefore, because of this requirement upon it, be a combination
of "white list" and "black list", including historical information.
The TSL specified by the present document therefore has four major components, in a structured relationship. These
components:
• provide information on the issuing scheme;
• identify the TSPs recognized by the scheme;
• indicate the service(s) provided by these TSPs and the current status of the service(s);
• indicate for each service the status history of that service.
The logic of the list is that, once the scheme operator has become aware of the existence of the TSP (whether by some
pro-active action on the part of the TSP or by the scheme's own supervision of the marketplace), the particular status as
determined according to the scheme rules is either the present status of the TSP's service (i.e. only current status, no
history) or is seamlessly followed by a sequence of one or more statuses (current status and history). Note that if a trust
service was approved until a certain date/time and there was a period in between the expiry of the approval and the start
of the re-approval, then a status identifier would provide the information for that interim period. The "interim status"
would either be cancelled (voluntarily, by the TSP) or revoked (by the scheme, with reasons).
5 Trust-service Status List structure
This clause specifies the Trust-service Status List structure. Each of the fields within the TSL is described to a level of
detail sufficient to permit any scheme operator to implement a standardized TSL, consistent with any other TSL
conformant to the present document, with specified values, meanings and interpretations given for each field. Whether
the inclusion of a field is mandatory or optional is indicated. The rationale for requiring each field and specifying it as
given is explained in annex E.
5.1 Structure of the Trust-service Status List
The logical model of the Trust-service Status List is shown in figure 1. It has four logical component parts, all but the
first of which may be replicated as required.
The list commences with key information about the list itself and the nature of the scheme which has determined the
information found in, and through, the list (component 1). The specified set of information must include a pointer
(URN) to details of the scheme and how its operator may be contacted. Whilst the objective has been to keep the size of
the TSL to the minimum consistent with its purpose and the requirements placed upon it, certain key information which
one would expect to be found in the scheme details must be provided directly within the TSL itself so as to facilitate
either easy recognition and contact with the scheme or machine processing.
Following this scheme-related information there comes information relating to the Trust Service Providers (TSPs)
whose services are within the scope of the scheme (component 2), and for each of those TSPs, the details of their
specific trust services whose current status is recorded within the TSL (component 3). For each service, any available
historical status information is recorded (component 4). The number of TSPs, of services per TSP, and of history
sections per service is unbounded.
The TSL is a signed list for authentication purposes and is tagged to facilitate identification for electronic searches. The
structure of the TSL is described in the following clauses by each component part and its fields.
ETSI
11 ETSI TS 102 231 V1.1.1 (2003-10)
5.1.1 Trust-service Status List information
Description: This field represents all the structured information and shall contain the following:
a) Scheme information, as specified in clause 5.2;
b) A sequence of fields containing information on the TSPs that the scheme oversees. This sequence is
mandatory. The contents of the TSP information field are specified in clause 5.3;
c) For each TSP, a sequence of fields containing information on the service(s) provided by that TSP. This
sequence is optional. The contents of the service information field are specified in clause 5.4;
d) For each service, a sequence of fields containing information on the status history of that service. This
sequence is
...