1.ETSI 101 456
2.ETSI 002 176
3.ETSI 102 023
4.ETSI 101 861
[1] In response to ETSI 101 456 sub section 7.1 Note 1 and Note 2, the Digi-CAST3™ Team in conjunction with the certified BS 7799 Trust Centre Team will ensure that all documentation, subscriber agreements, Certificate Policy and Certificate Practice Statement [2] are up to date and publicly available.
In response to ETSI 101 456 sub section 7.2.1 and 7.2.2 the key generation is undertaken in a physically secured environment by personnel in trusted roles under dual control. The number of personnel authorized to carry out this function is kept to a minimum and is consistent with the Trust Centre practices.
Both the private signing key is held and the key generation is carried out within the secure cryptographic Eracom Host Orange Hardware Security Module [HSM] device that is certified to FIPS PUB 140-2 level 3 and meets the requirements identified in CEN Workshop Agreement 14167-2 [8] and the keys are not accessible outside the HSM.
The key generation is performed using the RSA algorithm that is a minimum of 1024 bits and is recognized as being fit for the purposes of qualified certificates.
The Digi-CA™ [3] private signing is backed up, stored and recovered only by personnel in trusted roles using dual control in a physically secured environment. The number of personnel authorized to carry out this function are kept to a minimum and be consistent with the Digi-CA’s™ practices and backup copies of the Digi-CA™ private signing keys are subject to a greater level of security controls than the keys currently in use.
In response to ETSI 101 456 sub section 7.2.3 the Digi-CA™ signature verification (public) keys are made available to relying parties by combining the public LDAP directory, Certificate Revokation List and OCSP [4] Service.
In response to ETSI 101 456 sub section 7.2.4 the Digi-CA™ and subject private signing keys are not held in a way which provides a backup decryption capability, allowing authorized entities under certain conditions to decrypt data using information supplied by one or more parties (commonly called key escrow).
In response to ETSI 101 456 sub section 7.2.5 the Digi-CA™ signing key(s) used for generating certificates and/or issuing revocation status information, is not be used for any other purpose and the certificate signing keys are only be used within the physically secure Trust Centre.
In response to ETSI 101 456 sub section 7.2.6 the Digi-CA™ private signing keys are not used beyond the end of their life cycle and all copies of the Digi-CA™ private signing keys are destroyed such that the Private Keys cannot be retrieved; or are retained in a manner such that they are protected against being put back into use.
In response to ETSI 101 456 sub section 7.2.7 the certificate signing cryptographic hardware was not tampered with during shipment and neither was the certificate and revocation status information signing cryptographic hardware. The installation, activation, back-up and recovery of the Digi-CA’s™ signing keys in cryptographic hardware requires simultaneous control of at least of two trusted employees and certificate and revocation status information signing cryptographic hardware is functioning correctly. The Digi-CA™ private signing keys stored on Digi-CA™ cryptographic hardware will be destroyed upon device retirement.
In response to ETSI 101 456 sub section 7.2.9 the secure signature creation device preparation is securely controlled by the service provider and then stored and distributed. Secure signature creation device deactivation and reactivation is securely controlled, where it has associated user activation data. The activation data is securely prepared and distributed separately from the secure signature creation device.
In response to ETSI 101 456 sub section 7.3.1 the Digi-CA™ ensures that subjects are properly identified and authenticated; and that subject certificate requests are complete, accurate and duly authorized. Before entering into a contractual relationship with a subscriber, the Digi-CA™ informs the subscriber of the terms and conditions regarding the use of the certificate. The Digi-CA™ communicates this information through a durable (i.e. with integrity over time) means of communication, which may be transmitted electronically, and in readily understandable language. The service provider verifies by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued. Evidence of the identity is checked against a physical person either directly or indirectly using means which provides equivalent assurance to physical presence and the submitted evidence may be in the form of either paper or electronic documentation. Where the subject is a person, the evidence provided is of full name, date and place of birth, a nationally recognized number, or other attributes that is used to, as far as possible, distinguish the person from others with the same name.
Where the subject is a person who is identified in association with a legal person, or other organizational entity, the evidence provided is of full name, date and place of birth, a nationally recognized identity number, or other attributes of the subject which is used to, as far as possible, distinguish the person from others with the same name; full name and legal status of the associated legal person or other organizational entity, any relevant existing registration information (e.g. company registration) of the associated legal person or other organizational entity and an evidence that the subject is associated with the legal person or other organizational entity. The subscriber provides a physical address, or other attributes, which describe how the subscriber may be contacted. The Digi-CA™ records all the information used to verify the subjects' identity, including any reference number on the documentation used for verification, and any limitations on its validity.
The Digi-CA™ also records the signed agreement with the subscriber including agreement to the subscriber's obligations, agreement to use a SSCD if required, consent to the keeping of a record by the Digi-CA™ of information used in registration, subject device provision, any subsequent revocation, and passing of this information to third parties under the same conditions as required by this policy in the case of the Digi-CA™ terminating its services, whether and under what conditions, the subscriber requires and the subject's consents to the publication of the certificate and confirmation that the information held in the certificate is correct.
The records identified above are retained for at the period of time as indicated to the subscriber and as necessary for the purposes for providing evidence of certification [5] in legal proceedings. If the Digi-CA™ does not generate the subject’s key pair, the certificate request process ensures that the subject has possession of the Private Key associated with the Public Key presented for certification and the CA ensures that the requirements of the national data protection legislation are adhered to (including the use of pseudonyms if applicable) within their registration process.
In response to ETSI 101 456 sub section 7.3.2 the Digi-CA™ checks that the information used to verify the identity and attributes of the subject is still valid and if any of the Digi-CA™ terms and conditions have changed, these shall be communicated to the subscriber and agreed. If any information has changed, this is verified, recorded, agreed to by the subscriber, the Digi-CA™ issues a new certificate using the subject's previously certified Public Key, only if its cryptographic security is still sufficient for the new certificate's intended lifetime and no indications exist that the subject's Private Key is compromised.
In response to ETSI 101 456 sub section 7.3.3 the Digi-CA™ ensures that it issues certificates securely to maintain their authenticity and the procedure of issuing the certificate is securely linked to the associated registration, certificate renewal or rekey, including the provision of any subject generated Public Key. If the Digi-CA™ generated the subject’s key, the procedure of issuing the certificate is securely linked to the generation of the key pair by the Digi-CA™ and the Private Key is securely passed to the registered subscriber or subject. The Digi-CA™ ensures over time the uniqueness of the distinguished name assigned to the subject within the domain of the Digi-CA™. (i.e. over the life time of the Digi-CA™ a distinguished name which has been used in an issued certificate shall never be re-assigned to another entity) and the confidentiality and integrity of registration data shall be protected especially when exchanged with the subscriber, subject or between distributed Digi-CA™ system components. The Digi-CA™ also verifies that registration data is exchanged with recognized registration service providers, whose identity is authenticated, in the event that external registration service providers are used.
In response to ETSI 101 456 sub section 7.3.4 the Digi-CA™ makes available to subscribers and relying parties the terms and conditions regarding the use of the certificate, the qualified certificate policy being applied, including a clear statement as to whether the policy is for certificates issued to the public and whether the policy requires uses of a SSCD, any limitations on its use, the subscriber's obligations including whether the policy requires uses of a SSCD, information on how to validate the certificate including requirements to check the revocation status of the certificate, such that the relying party is considered to "reasonably rely" on the certificate, limitations of liability including the purposes/uses for which the Digi-CA™ accepts (or excludes) liability, the period of time which registration information is retained, the period of time which Digi-CA™ event logs are retained, procedures for complaints and dispute settlement, the applicable legal system; and if the Digi-CA™ has been certified to be conformant with the identified qualified certificate policy, and if so through which scheme. The information identified is available through a durable (i.e. with integrity over time) means of communication, which is transmitted electronically, and in readily understandable language.
In response to ETSI 101 456 sub section 7.3.5 upon generation, the complete and accurate certificate is available to subscriber or subject for whom the certificate is being issued and certificates are available for retrieval in only those cases for which the subject's consent has been obtained. The Digi-CA™ makes available to relying parties the terms and conditions regarding the use of the certificate and the applicable terms and conditions are readily identifiable for a given a certificate. The information identified is available 24 hours per day, 7 days per week. Upon system failure, service or other factors, which are not under the control of the Digi-CA™, the Digi-CA™ makes best endeavours to ensure that this information service is not unavailable for longer than a maximum period of time as denoted in the certification practice statement. The information identified is publicly and internationally available.
In response to ETSI 101 456 sub section 7.3.6 the Digi-CA™ ensures that certificates are revoked in a timely manner based on authorized and validated certificate revocation requests and documents, as part of its certification practice statement the procedures for revocation of certificates including who may submit revocation reports and requests, how they may be submitted, any requirements for subsequent confirmation of revocation reports and requests, whether and for what reasons certificates may be suspended, the mechanism used for distributing revocation status information and the maximum delay between receipt of a revocation request or report and the change to revocation status information being available to all relying parties. This is at most 1 day. Requests and reports relating to revocation (e.g. due to compromise of subject's Private Key, death of the subject, unexpected termination of a subscriber's or subject's agreement or business functions, violation of contractual obligations) are processed on receipt and checked to be from an authorized source. Such reports and requests are confirmed as required under the Digi-CA’s™ practices.
A certificate's revocation status is set to suspended whilst the revocation is being confirmed. The Digi-CA™ ensures that a certificate is not kept suspended for longer than is necessary to confirm its status. The subject, and where applicable the subscriber, of a revoked or suspended certificate, is informed of the change of status of its certificate and once a certificate is definitively revoked (i.e. not suspended) it is not reinstated. Where Certificate Revocation Lists (CRLs) including any variants (e.g. Delta CRLs) are used, these are published at least daily and every CRL is stated a time for next CRL issue and a new CRL may be published before the stated time of the next CRL issue. The certification authority signs the CRL or an authority designated by the Digi-CA™. Revocation management services and Revocation status information are available 24 hours per day, 7 days per week. Upon system failure, service or other factors, which are not under the control of the Digi-CA™, the Digi-CA™ makes best endeavours to ensure that this service is not unavailable for longer than a maximum period of time as denoted in the certification practice statement. The integrity and authenticity of the status information is protected and Revocation status information is publicly and internationally available.
[1] In response to ETSI 101 456 sub section 7.4.1 the Digi-CA™ carries out a risk assessment to evaluate business risks and determine the necessary security requirements and operational procedures and retains responsibility for all aspects of the provision of certification [5] services, even if some functions are outsourced to subcontractors. Responsibilities of third parties are clearly defined by the Digi-CA™ [3] and appropriate arrangements made to ensure that third parties are bound to implement any controls required by the Digi-CA™. The Digi-CA™ retains responsibility for the disclosure of relevant practices of all parties. The Digi-CA™ management provides direction on information security through a suitable high level steering forum that is responsible for defining the Digi-CA’s™ information security policy and ensuring publication and communication of the policy to all employees who are impacted by the policy. The information security infrastructure necessary to manage the security within the Digi-CA™ is maintained at all times. The Digi-CA™ management forum approves any changes that will impact on the level of security provided. The security controls and operating procedures for Digi-CA™ facilities, systems and information assets providing the certification services are documented, implemented and maintained and Digi-CA™ ensures that the security of information is maintained when the responsibility for Digi-CA™ functions has been outsourced to another organization or entity.
In response to ETSI 101 456 sub section 7.4.2 the Digi-CA™ maintains an inventory of all information assets and assigns a classification for the protection requirements to those assets consistent with the risk analysis.
In response to ETSI 101 456 sub section 7.4.3 the Digi-CA™ employs personnel, which possess the expert knowledge, experience and qualifications necessary for the offered services and as appropriate to the job function and Security roles and responsibilities, as specified in the Digi-CA’s™ security policy, are documented in job descriptions. Trusted roles, on which the security of the Digi-CA’s™ operation is dependent, are clearly identified. Digi-CA™ personnel (both temporary and permanent) have job descriptions defined from the view point of separation of duties and least privilege, determining position sensitivity based on the duties and access levels, background screening and employee training and awareness. Where appropriate, these differentiate between general functions and Digi-CA™ specific functions. It is recommended that the job descriptions include skills and experience requirements. Personnel exercise administrative and management procedures and processes that are in line with the Digi-CA’s™ information security management procedures. Managerial personnel are employed who possess expertise in the electronic signature technology and familiarity with security procedures for personnel with security responsibilities and experience with information security and risk assessment and all Digi-CA™ personnel in trusted roles are free from conflicting interests that might prejudice the impartiality of the Digi-CA™ operations.
Trusted roles include roles such as Security Officers: Overall responsibility for administering the implementation of the security practices. Additionally approve the generation/revocation/suspension of Certificates; System Administrators: Authorized to install, configure and maintain the Digi-CA™ trustworthy systems for registration, certificate generation, subject device provision and revocation management; System Operators: Responsible for operating the Digi-CA™ trustworthy systems on a day-to-day basis and authorized to perform system backup and recovery; System Auditors: Authorized to view and maintain archives and audit logs of the Digi-CA™ trustworthy systems. Digi-CA™ personnel are formally appointed to trusted roles by senior management responsible for security. The Digi-CA™ do not appoint to trusted roles or management any person who is known to have a conviction for a serious crime or other offence which affects his/her suitability for the position. Personnel do not have access to the trusted functions until any necessary checks are completed.
In response to ETSI 101 456 sub section 7.4.4 physical access to facilities concerned with certificate generation, subject device provision, and revocation management services are limited to properly authorized individuals, Controls are implemented to avoid loss, damage or compromise of assets and interruption to business activities; and Controls are implemented to avoid compromise or theft of information and information processing facilities. Certificate generation, subject device provision and revocation management. The facilities concerned with certificate generation, subject device provision and revocation management are operated in an environment, which physically protects the services from compromise through unauthorized access to systems or data. Physical protection is achieved through the creation of clearly defined security perimeters (i.e. physical barriers) around the certificate generation, subject device provision and revocation management services. Any parts of the premises shared with other organizations are outside this perimeter.
Physical and environmental security controls are implemented to protect the facility housing system resources, the system resources themselves, and the facilities used to support their operation. The Digi-CA’s™ physical and environmental security policy for systems concerned with certificate generation, subject device provision and revocation management services address the physical access control, natural disaster protection, fire safety factors, failure of supporting utilities (e.g. power, telecommunications), structure collapse, plumbing leaks, protection against theft, breaking and entering, and disaster recovery, etc and controls are implemented to protect against equipment, information, media and software relating to the Digi-CA™ services being taken off-site without authorization..
In response to ETSI 101 456 sub section 7.4.5 the integrity of Digi-CA™ systems and information are protected against viruses, malicious and unauthorized software and damage from security incidents and malfunctions are minimized through the use of incident reporting and response procedures. Media used within the Digi-CA™ are securely handled to protect media from damage, theft and unauthorized access. Procedures are established and implemented for all trusted and administrative roles that impact on the provision of certification services and all media are handled securely in accordance with requirements of the information classification scheme. Media containing sensitive data are securely disposed of when no longer required. Capacity demands are monitored and projections of future capacity requirements made to ensure that adequate processing power and storage are available. The Digi-CA™ acts in a timely and coordinated manner in order to respond quickly to incidents and to limit the impact of breaches of security. All incidents are reported as soon as possible after the incident and Digi-CA™ security operations are separated from normal operations.
In response to ETSI 101 456 sub section 7.4.6 Controls (e.g. firewalls) are implemented to protect the Digi-CA’s™ internal network domains from external network domains accessible by third parties and sensitive data are protected when exchanged over networks, which are not secure. The Digi-CA™ ensures effective administration of user (this includes operators, administrators and any users given direct access to the system) access to maintain system security, including user account management, auditing and timely modification or removal of access. The Digi-CA™ ensures access to information and application system functions are restricted in accordance with the access control policy and that the Digi-CA™ system provides sufficient computer security controls for the separation of trusted roles identified in Digi-CA’s™ practices, including the separation of security administrator and operation functions. Particularly, use of system utility programs are restricted and tightly controlled. Digi-CA™ personnel are successfully identified and authenticated before using critical applications related to certificate management and accountable for their activities, for example by retaining event logs. Sensitive data is protected against being revealed through re-used storage objects (e.g. deleted files) being accessible to unauthorized users.
The Digi-CA™ ensures that local network components (e.g. routers) are kept in a physically secure environment and their configurations periodically audited for compliance [5] with the requirements specified by the Digi-CA™. Continuous monitoring and alarm facilities are provided to enable the Digi-CA™ to detect, register and react in a timely manner upon any unauthorized and/or irregular attempts to access its resources. Dissemination application enforces access control on attempts to add or delete certificates and modify other associated information and continuous monitoring and alarm facilities are provided to enable the Digi-CA™ to detect, register and react in a timely manner upon any unauthorized and/or irregular attempts to access its resources. Revocation status application enforces access control on attempts to modify revocation status information.
In response to ETSI 101 456 sub section 7.4.7 an analysis of security requirements are carried out at the design and requirements specification stage of any systems development project undertaken by the Digi-CA™ or on behalf of the Digi-CA™ to ensure that security is built into IT systems. Change control procedures exist for releases, modifications and emergency software fixes for any operational software.
In response to ETSI 101 456 sub section 7.4.8 the Digi-CA’s™ business continuity plan (or disaster recovery plan) addresses the compromise or suspected compromise of a Digi-CA’s™ private signing key as a disaster. In the case of compromise the Digi-CA™ informs all subscribers, relying parties and other CAs with which it has agreements or other form of established relations of the compromise and indicates that certificates and revocation status information issued using this Digi-CA™ key may no longer be valid.
In response to ETSI 101 456 sub section 7.4.9 the Digi-CA™ ensures that potential disruptions to subscribers and relying parties are minimized as a result of the cessation of the Digi-CA’s™ services, and ensure continued maintenance of records required to provide evidence of certification for the purposes of legal proceedings. Before the Digi-CA™ terminates its services, it informs all subscribers, relying parties and other CAs with which it has agreements or other form of established relations and terminates all authorization of subcontractors to act on behalf of the Digi-CA™ in the performance of any functions related to the process of issuing certificates. The Digi-CA™ performs necessary undertakings to transfer obligations for maintaining registration information and event log archives for their respective period of time as indicated to the subscriber and relying party. The Digi-CA™ also destroys, or withdraws from use, its Private Keys. The Digi-CA™ have an arrangement to cover the costs to fulfil these minimum requirements in case the Digi-CA™ becomes bankrupt or for other reasons is unable to cover the costs by itself. The Digi-CA™ states in its practices the provisions made for termination of service such as the notification of affected entities, the transfer of its obligations to other parties and the handling of the revocation status for unexpired certificates that have been issued.
[1] In response to ETSI 101 456 sub section 7.4.10 important records are protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory requirements, as well as to support essential business activities and the Digi-CA™ [3] ensures that the requirements of the European data protection Directive, as implemented through national legislation, are met. Appropriate technical and organizational measures are taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and the information that users contribute to the Digi-CA™ are completely protected from disclosure without the user's agreement, a court order or other legal authorization.
In response to ETSI 101 456 sub section 7.4.11 the Digi-CA™ ensures that all relevant information concerning a qualified certificate is recorded for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. The confidentiality and integrity of current and archived records concerning qualified certificates are maintained and records concerning qualified certificates are completely and confidentially archived in accordance with disclosed business practices. Records concerning qualified certificates are made available if required for the purposes of providing evidence of certification for the purpose of legal proceedings. The subject, and within the constraints of data protection requirements the subscriber, have access to registration and other information relating to the subject. The precise time of significant Digi-CA™ environmental, key management and certificate management events are recorded and records concerning qualified certificates are held for a period of time as appropriate for providing necessary legal evidence in support of electronic signatures.
The events are logged in a way that they cannot be easily deleted or destroyed (except for transfer to long term media) within the period of time that they are required to be held and the Digi-CA™ documents the specific events and data to be logged. The Digi-CA™ ensures all events relating to registration including requests for certificate re-key or renewal, are logged. The Digi-CA™ ensures that all registration information is recorded such as type of document(s) presented by the applicant to support registration, record of unique identification data, numbers, or a combination thereof (e.g. applicant's drivers license number) of identification documents, if applicable, storage location of copies of applications and identification documents, including the signed subscriber agreement, any specific choices in the subscriber agreement (e.g. consent to publication of certificate), identity of entity accepting the application, method used to validate identification documents, if any and name of receiving Digi-CA™ and/or submitting Registration Authority, if applicable.
The Digi-CA™ ensures that privacy of subject information is maintained. The Digi-CA™ log all events relating to the life cycle of Digi-CA™ keys, the life cycle of certificates, the life cycle of keys managed by the Digi-CA™, including any subject keys generated by the Digi-CA™, the preparation of SSCDs. and ensures that all requests and reports relating to revocation, as well as the resulting action, are logged.
In response to ETSI 101 456 sub section 7.5 policies and procedures under which the Digi-CA™ operates are non-discriminatory. The Digi-CA™ makes its services accessible to all applicants whose activities fall within its declared field of operation. The Digi-CA™ is a legal entity according to national law and has a system or systems for quality and information security management appropriate for the certification services it is providing. The Digi-CA™ has adequate arrangements to cover liabilities arising from its operations and/or activities and financial stability and resources required to operate in conformity with this policy. The Digi-CA™ employs a sufficient number of personnel having the necessary education, training, technical knowledge and experience relating to the type, range and volume of work necessary to provide certification services. The Digi-CA™ has policies and procedures for the resolution of complaints and disputes received from customers or other parties about the provisioning of electronic trust services or any other related matters and a properly documented agreement and contractual relationship in place where the provisioning of services involves subcontracting, outsourcing or other third party arrangements. The parts of the Digi-CA™ concerned with certificate generation and revocation management are independent of other organizations for its decisions relating to the establishing, provisioning and maintaining and suspending of services; in particular its senior executive, senior staff and staff in trusted roles, must be free from any commercial, financial and other pressures which might adversely influence trust in the services it provides. The parts of the Digi-CA™ concerned with certificate generation and revocation management have a documented structure which safeguards impartiality of operations.
In response to ETSI 101 456 sub section 8.1, the Digi-CAST3™ Team will help you ensure that:
b) A risk assessment is carried out to evaluate business requirements and determine the security requirements to be included in the qualified certificate policy for all the areas identified above.
c) All the Certificate Policy documents are approved and modified in accordance with a defined review process, including responsibilities for maintaining the qualified certificate policy.
d) A defined review process exists to ensure that the qualified certificate policies are supported by the Digi-Certificate Practice Statement [2]™.
e) The Digi-CA™ Xg Trust Centre makes available the qualified certificate policies supported by the Digi-CA™ to all appropriate subscribers and relying parties.
f) Revisions to qualified certificate policies supported by the Digi-CA™ are made available to subscribers and relying parties.
g) The qualified certificate policy incorporates all the requirements of Clauses 6 and in particular:
h) That the Digi-CA™ Xg Trust Centre is responsible for conformance with the procedures prescribed in this policy, even when the CA functionality is undertaken by sub-contractors.
i) The CA shall provide all its certification services consistent with its certification practice statement.
j) That the subscriber submits accurate and complete information in accordance with the requirements of the ETSI 101 456 policy, particularly with regards to registration and that the subscriber only uses the key pair for electronic signatures in accordance with any other limitations notified to the subscriber. That the subscriber exercises reasonable care to avoid unauthorized use of the subject's Private Key and if they participate in generating these keys using the Process Method that the algorithm used is recognized as being fit for the purposes of qualified electronic signatures and that the key length and algorithm are recognized as being fit for the purposes of qualified electronic signatures.
k) The Digi-CA™ can show that only the subject holds the Private Key once delivered to the subject and that if the Certificate Policy requires use of an SSCD (i.e. QCP public + SSCD), the Digi-CA™ will only use the certificate with electronic signatures created using such a device.
l) If the Digi-CA™ is not required to issue qualified certificates and if the certificate is issued by the CA under the Certificate Policy for QCP public + SSCD and the subject's keys are generated under control of the subscriber, the Digi-CA™ will generate the subject's keys within the SSCD to be used for signing.
m) The Digi-CA™ Administrator will also ensure that subscribers will notify them without any reasonable delay, if any of the following occur up to the end of the validity period indicated in the certificate:
n) the subject's Private Key has been lost, stolen, potentially compromised; or
o) control over the subjects Private Key has been lost due compromise of activation data (e.g. PIN code) or other reasons; and/or
p) inaccuracy or changes to the certificate content, as notified to the subscriber.
q) and should any of the above occur, the use of the subject's Private Key is immediately and permanently discontinued.
r) the Digi-CA™ unique OID is obtained for the Certificate Policy of the form required in ITU-T Recommendation X.509 [3].
In response to ETSI 101 456 sub section 8.3, the Digi-CAST3™ will advise whether your Certificate Policy requires the use of SSCD and the ways in which the specific policy adds to or further constrains the requirements of the qualified certificate policy as defined in ETSI 101 456.
In response to ETSI 101 456 sub section 8.3, the Digi-CAST3™ will ensure you only claim conformance to the standard and the applicable qualified certificate policy by ensuring you adhere to the standard as a whole.
[1] Digi-CA™ complies with this standard by using defined Algorithms and Parameters for Secure Electronic Signatures, that are accepted by this standard, namely:
[1] By virtue of the fact that the Digi-CAST3™ Team will help you select the correct Time Stamping [6] Policy and TimStamping Authority Practice Statements so that they comply with this standard, this means that the subsequent use of the Digi-CA™ [3] in accordance with these document means that it is compliant with this standard.
Links:
[1] https://www.digi-sign.com/downloads/download.php?id=digi-ca-pdf
[2] https://www.digi-sign.com/repository/certificate+practice+statement
[3] https://www.digi-sign.com/digi-ca
[4] https://www.digi-sign.com/digi-ca/administrator/online+certificate+status+protocol
[5] https://www.digi-sign.com/compliance/introduction
[6] https://www.digi-sign.com/digi-ca/time+stamp