- EN 319 411 - Policy and security requirements for Trust Service Providers issuing certificates
- EN 319 412 - Certificate Profiles
The standards are maintained by the standardization body ETSI and can be downloaded from the ETSI download area.
What new requirements do these standards come with? Looking closely there are only two new things needed to be able to claim "eIDAS compliance":
- A new DN attribute organizationIdentifier
- New fields in the QCStatement certificate extension
Let's dig a little deeper into these two requirements.
OrganizationIdentifier is a DN attribute with OID 126.96.36.199 specified in X.520. This is an attribute that has, to my knowledge, never been in common use in certificates before. Its usage in the eIDAS context is described in the following sections of EN 319 412:
- EN 319 412-1 section 5.1.1 and 5.1.4
- EN 319 412-2 section 188.8.131.52 and 4.2.4
- EN 319 412-3 section 4.2.1
There is already a QCStatement extension in use since long. With the new standards comes a few additions.
The new items in the QCStatement extension are:
- QcType, claiming that the certificate is a EU qualified certificate of a particular type
- PdsLocation, location of PKI Disclosure Statements (PDS)
- EN 319 411-2 section 6.6.1
- EN 319 412-1 section 5.1.1 and 5.1.2
- EN 319 412-2 section 5.1 and 5.2
- EN 319 412-4 section 4.2
- EN 319 412-5, full technical description
With the convenient ability to define custom extensions in the EJBCA GUI (since EJBCA 6.4.0) the new QCStatement extension can be easily added to any certificate profile.
We strive to support all relevant open PKI standards and it is important to keep EJBCA Enterprise up to date with new and emerging standards. Since EJBCA 6.5.2 eIDAS compliance should be easily achieved on the level of PKI.