Index of documents supporting the Grant of Approval to BT Global Services’ Managed PKI Service.

1. What the tScheme Approved Service Mark signifies.
2. Approved Service - Service Description
3. Approval Profiles used in the assessment:
   

   Base Approval Profile	tSd0111	3.00
   Approval Profile for Registration Services	tSd0042	3.02
   Approval Profile for a Certification Authority	tSd0102	3.01
   Approval Profile for Signing Key Pair Management	tSd0103	3.02
   Approval Profile for Certificate Generation	tSd0104	3.01
   Approval Profile for Certificate Dissemination	tSd0105	3.01
   Approval Profile for Certificate Status Management	tSd0106	3.01
   Approval Profile for Certificate Status Validation	tSd0107	3.01

Back to Grant details

What the tScheme Approved Service Mark signifies

When a trust service carries the tScheme Mark, you can be secure in the knowledge that:

• the service has been thoroughly evaluated against rigorous criteria by independent experts;
  
  
• the service provider has agreed to keep to these criteria;
  
  
• the service provider subscribes to the tScheme Code of Conduct;
  
  
• the service provider has agreed to act promptly and fairly to remedy faults.
  
  

For each service, tScheme approval is regularly reviewed and may be withdrawn.

This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.

top

Approved Service - Service Description

The subject service of this Grant of Approval is the Managed PKI Service from BT Trust Services.

Managed PKI is a managed service that provides the technology and processes required to issue digital certificates. The service is suitable for any organisation that needs to issue certificates - these can be issued under either the VeriSign Trust Network (VTN) public hierarchy or the Customer’s own self-signed root.

Within Managed PKI, the Registration Authority (RA) and Certification Authority (CA) functions are separated. The customer organisation performs the RA function and BT performs the CA function.

This arrangement allows the customer RA function to apply validation criteria that are based on its local business knowledge and approve or reject certificate requests using its own business rules. It also allows the organisation to delegate the complex and difficult CA management function to a specialist organisation that has the infrastructure and practices required to protect and manage sensitive CA Keys and PKI records. Specific CA functions managed by BT are:

• CA Key Generation and Management
• Certificate Status Management and Validation

These functions can generate qualified certificates¹ for customers, who operate their RA function in compliance with the requirements defined in Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.

BT uses its own RA to validate requests for the service², confirming that the applicant company is registered and that the Managed PKI Administrator has the organisational authority required to operate the RA and enter into the Managed PKI contract on the applicant company’s behalf.

Following acceptance of the request a new CA Certificate is issued and the CA signing keys installed at the secure CA facility operated by BT.

The service is built using VeriSign technology and utilises industry standard protocols to protect order information and to deliver certificates. Employees, or customers, of the subscribing organisation apply for end user certificates from a local web site using their browser. Requests are validated by the local RA, digitally signed & encrypted and then sent to the CA, where certificates are constructed and signed using the organisations CA Digital Certificate.

BT provides the Managed PKI customer with certificate status data, either in the form of a Certificate Revocation List or through the use of the Online Certificate Status Protocol (OCSP), to validate certificates within their application(s). (Note that OCSP is only available to Managed PKI & Managed PKI Single Application customers). BT also provides status information to relying parties.

The Managed PKI product has the following service options:

• Managed PKI - the complete security service for multiple applications and 1000+ users.
• Managed PKI Single Application - like Managed PKI but for use with a single application and 250+ users.
• Managed PKI Lite - an entry level service designed for small numbers of users with a manual registration process - does not include the advanced automation facilities provided by the other Managed PKI services. Scalable between 25 and 1000 users.
• Managed PKI IPSec-based VPNs - allows a company to extend their local network to connect offices, remote users, partners and customers via the Internet in a secure environment. Note: This is available for all Managed PKI services.

For further information, please see the Service Policy Disclosure Statement located at: http://www.trustwise.com/repository/PDF/Service_Policy_Disclosure_OnSite.doc

¹Meeting the requirements defined in Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.

²How a customer initiates use of, and continues to use the Service is described on the BT Trust Services web site (http://www.btglobalservices.com/en/products/trustservices/products/mpki/managed_pki.html).

top

The tScheme Code of Conduct

Participants in the electronic trust services industry strive:

• to act in an honest, fair, reasonable and trustworthy manner;
  
  
• not to bring electronic trust services into disrepute;
  
  
• to provide clear information about what each electronic trust service provides, including limitations and exclusions, to those who rely on that service;
  
  
• to meet service commitments and obligations;
  
  
• to be proactive in identifying and correcting faults and deficiencies in electronic trust services;
  
  
• to operate in accordance with appropriate standards;
  
  
• to act promptly in resolving complaints relating to electronic trust services.

top