Managed PKI Security
from BT
Grant of Approval
tScheme Limited grants approval to the electronic trust service identified as:
Managed Public Key Infrastructure (PKI) Security service
as supplied by:
British Telecommunications Plc
of 81 Newgate Street, London EC1A 7AJ.
The management system used to deliver this service is certified by:
LRQA Lloyd's Register Quality Assurance Ltd.
of Trinity Park, 1 Bickenhill Lane, Birmingham B37 7ES
to satisfy the criteria defined in the following tScheme Approval Profiles:
| Title | Identity | Issue |
| Base Approval Profile | tSd0111 | 3.02 |
| Approval Profile for Registration Services | tSd0042 | 3.04 |
| Approval Profile for a Certification Authority* | tSd0102 | 3.03 |
| Approval Profile for Signing Key Pair Management | tSd0103 | 3.04 |
| Approval Profile for Certificate Generation* | tSd0104 | 3.03 |
| Approval Profile for Certificate Dissemination | tSd0105 | 3.03 |
| Approval Profile for Certificate Status Management | tSd0106 | 3.03 |
| Approval Profile for Certificate Status Validation | tSd0107 | 3.03 |
*not including Qualified Certificates
This approval initially commenced on:
27th May 2002
and annual renewal against the current issue of these Approval Profiles was confirmed in:
May 2024
Documents supporting this grant are available by clicking on the links in the table above.
This Grant of approval is issued by:
tScheme Limited
Mulberry Grove
PO Box 3653
WOKINGHAM
RG40 9NN
United Kingdom
Company Number 4000985
Approved Service Description
The subject service of this Grant of Approval is the Managed Public Key Infrastructure (PKI) Security service from British Telecommunications Plc.
BT Managed Public Key Infrastructure (PKI) Security is a managed service that provides the technology and processes required to issue digital certificates. The service is suitable for any organisation that needs to issue certificates under the Customer’s own self-signed root and the BTCP/ CPS.
Within Managed PKI Security, the Registration Authority (RA) and Certification Authority (CA) functions are separated. The customer organisation performs the RA function and BT performs the CA function.
This arrangement allows the customer RA function to apply validation criteria that are based on its local business knowledge and approve or reject certificate requests using its own business rules. It also allows the organisation to delegate the complex and difficult CA management function to a specialist organisation that has the infrastructure and practices required to protect and manage sensitive CA Keys and PKI records.
Specific CA functions managed by BT are:
- CA Key Generation and Management
- Certificate Status Management and Validation
BT uses its own RA to validate requests for the service, confirming that the applicant company is registered and that the Managed PKI Security Administrator has the organisational authority required to operate the RA and enter into the Managed PKI Security contract on the applicant company’s behalf.
Following acceptance of the request a new CA Certificate is issued and the CA signing keys installed at the secure CA facility operated by BT.
The service is built using DigiCert technology and utilises industry standard protocols to protect order information and to deliver certificates. Employees, or customers, of the subscribing organisation apply for end user certificates from a local web site using their browser. Requests are validated by the local RA, digitally signed & encrypted and then sent to the CA, where certificates are constructed and signed using the organisation’s CA Digital Certificate.
BT provides the Managed PKI Security customer with certificate status data, either in the form of a Certificate Revocation List or through the use of the Online Certificate Status Protocol (OCSP), to validate certificates within their application(s). BT also provides status information to relying parties.
For further information, please see the Service Policy Disclosure Statement at: https://mpki.bt.com/legal-repository