EU Member States Trusted Lists Scheme Type Community Rules: Common statement


Participation in a scheme

Each Member State must create a ‘Trusted List of supervised/accredited Certification Service Providers’ providing information about the supervision/accreditation status of certification services from Certification Service Providers (CSPs) who are supervised/accredited by the relevant Member State for compliance with the relevant provisions of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.

The present implementation of such Trusted Lists is also to be referred to in the list of links (pointers) towards each Member State’s Trusted List, compiled by the European Commission.

Policy/rules for the assessment of the listed services

The Trusted List of a Member State must provide, as a minimum, information on supervised/accredited CSPs issuing Qualified Certificates in accordance with the provisions laid down in Directive 1999/93/EC (Article 3(2) and (3) and Article 7(1)(a)), including information on the Qualified Certificate (QC) supporting the electronic signature and whether the signature is or not created by a Secure Signature Creation Device.

The CSPs issuing Qualified Certificates (QCs) must be supervised by the Member State in which they are established (if they are established in a Member State), and may also be accredited, for compliance with the provisions laid down in Directive 1999/93/EC, including compliance with the requirements of Annex I (requirements for QCs), and those of Annex II (requirements for CSPs issuing QCs). CSPs issuing QCs that are accredited in a Member State must still fall under the appropriate supervision system of that Member State unless they are not established in that Member State. The applicable ‘supervision’ system (respectively ‘voluntary accreditation’ system) is defined and must meet the relevant requirements of Directive 1999/93/EC, in particular those laid down in Article 3(3), Article 8)(1), Article 11 (respectively, Article 2(13), Article 3(2), Article 7(1)(a), Article 8(1), Article 11).

Additional information on other supervised/accredited CSPs not issuing QCs but providing services related to electronic signatures (e.g. CSP providing Time Stamping Services and issuing Time Stamp Tokens, CSP issuing non- Qualified certificates, etc.) may be included in the Trusted List at a national level on a voluntary basis.

CSPs not issuing QCs but providing ancillary services, may fall under a ‘voluntary accreditation’ system (as defined in and in compliance with Directive 1999/93/EC) and/or under a nationally defined ‘recognised approval scheme’ implemented on a national basis for the supervision of compliance with the provisions laid down in Directive 1999/93/EC and possibly with national provisions with regard to the provision of certification services (in the sense of Article 2(11) of Directive 1999/93/EC). Some of the physical or binary (logical) objects generated or issued as a result of the provision of a certification service may be entitled to receive a specific ‘qualification’ on the basis of their compliance with the provisions and requirements laid down at national level but the meaning of such a ‘qualification’ is likely to be limited solely to the national level.

Interpretation of the Trusted List

The general user guidelines for electronic signature applications, services or products relying on a Trusted List according to the Annex of Commission Decision 2013/662/EU are as follows:

A ‘CA/QC’ ‘Service type identifier’ (‘Sti’) entry (similarly a CA/QC entry further qualified as being a ‘RootCA/QC’ through the use of ‘Service information extension’ (‘Sie’) additionalServiceInformation Extension)

— indicates that from the ‘Service digital identifier’ (‘Sdi’) identified CA (similarly within the CA hierarchy starting from the ‘Sdi’ identified RootCA) from the corresponding CSP (see associated TSP information fields), all issued end-entity certificates are Qualified Certificates (QCs) provided that it is claimed as such in the certificate through the use of appropriate EN 319 412-5 defined QcStatements (i.e. QcCompliance, QcSSCD, etc.) and/or EN 319 411-2 defined QCP(+) OIDs (and this is guaranteed by the issuing CSP and ensured by the Member State Supervisory/Accreditation Body)

Note: if no ‘Sie’ ‘Qualifications Extension’ information is present or if an end-entity certificate that is claimed to be a QC is not further identified through a related ‘Sie’ ‘Qualifications Extension’ information, then the ‘machine- processable’ information to be found in the QC is supervised/accredited to be accurate. That means that the usage (or not) of the appropriate ETSI defined QcStatements (i.e. QcCompliance, QcSSCD, etc.) and/or ETSI defined QCP(+) OIDs is ensured to be in accordance with what it is claimed by the CSP issuing QCs.

and IF ‘Sie’ ‘Qualifications Extension’ information is present, then in addition to the above default usage interpretation rule, those certificates that are identified through the use of this ‘Sie’ ‘Qualifications Extension’ information, which is constructed on the principle of a sequence of filters further identifying a set of certificates, must be considered according to the associated qualifiers providing some additional information regarding the qualified status, the ‘SSCD support’ and/or ‘Legal person as subject’ (e.g. those certificates containing a specific OID in the Certificate Policy extension, and/or having a specific ‘Key usage’ pattern, and/or filtered through the use of a specific value to appear in one specific certificate field or extension, etc.). Those qualifiers are part of the following set of ‘Qualifiers’ used to compensate for the lack of information in the corresponding QC content, and that are used respectively:
  • to indicate the qualified status: ‘QCStatement’ meaning the identified certificate(s) is(are) qualified,
  • to indicate the nature of the SSCD support:
    • ‘QCWithSSCD’ qualifier value meaning ‘QC supported by an SSCD’, or
    • ‘QCNoSSCD’ qualifier value meaning ‘QC not supported by an SSCD’, or
    • ‘QCSSCDStatusAsInCert’ qualifier value meaning that the SSCD support information is ensured to be contained in any QC under the ‘Sdi’-‘Sie’ provided information in this CA/QC entry,

AND/OR

  • to indicate issuance to Legal Person:
    • ‘QCForLegalPerson’ qualifier value meaning ‘Certificate issued to a Legal Person’.

The general interpretation rule for any other ‘Sti’ type entry is that the listed service named according to the ‘Sn’ field value and uniquely identified by the ‘Sdi’ field value has a current supervision/accreditation status according to the ‘Scs’ field value as from the date indicated in the ‘Current status starting date and time’. Specific interpretation rules for any additional information with regard to a listed service (e.g. ‘Service information extensions’ field) may be found, when applicable, in the Member State specific URI as part of the present ‘Scheme type/community/rules’ field.

Please refer to the Technical specifications for a Common Template for the ‘Trusted List of supervised/accredited Certification Service Providers’ in the Annex of Commission Decision 2009/767/EC for further details on the fields, description and meaning for the Member States’ Trusted Lists.