Sep 04

Trust services training

By #eIdAS, Acreditación, Auditoría, Certificación de auditores EIDAS, Conformity Assessment Body (CAB), eIDAS, EIDAS Auditor certification, Electronic Trust Service Providers, Evaluación de conformidad, Servicios de Confianza Digital No Comments

New dates for training on trust services:

  • Level 1 (2 days): Training for advanced users of electronic trust services (25 and 26 October 2022). Fee price: €1,000 +VAT.
  • Level 2 (2 days): Training for Trusted e-Services providers’ staff (15 and 17 November 2022). Fee: 1.000 € +VAT
  • Level 3 (2 days): Training for EIDAS Trusted e-Services Auditor candidates (29 November and 1 December 2022). Fee: 2.500 € +VAT. It includes accompaniment as a trainee auditor in 4 EIDAS audits.

Online training, held from 16:00 to 20:00 (Central European Time, UTC + 1h).
On this occasion, a special price has been defined to thank the people who have contacted us, following the announcement we made a few months ago: EIDAS specialist training and auditor certification.

  • Level 1 (2 days). Promotion: 450 € +VAT
  • Level 1 + Level 2 (4 days). Promotion: 1.000 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days). Promotion: 2.500 € + VAT

In addition to the training, it is possible to obtain the associated professional certification by passing a level exam:

  • Professional certification “Trusted e-Services Specialist”. Level 1. Examination fees 200 € +VAT
  • Professional certification “Trusted e-Services Company Professional”. Level 2. Examination fees: 400 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Professional certification “Evaluator of digital trust services companies”. Level 3. Examination fee: 600 € +VAT. Level 2 exam must be passed or pending evaluation. 4 EIDAS audits must be carried out as “trainee auditor” to become a fully qualified auditor.

Registration Form: Formulario_formacion-EIDAS-TCAB-2022

Download the full brochure: Brochure_training-EIDAS-TCAB-2022

Nov 13

Remote identification component for EIDAS certificate issuance services

By #eIdAS, Auditoría, Certificados cualificados, Conformity Assessment, Electronic Trust Services, EN 319 411-1, EN 319 411-2, Remote identification, SEPBLAC, TS 119 461, Video onboarding No Comments

Identity proofing is not an eIDAS trusted service by itself, but a component of other trusted services. A remote identity proofing service component can be used by many different trust services.

Providers of remote identification services based on video and audio transmission systems from the applicant’s equipment can be audited according to ETSI EN 319 403-1 so that this audit can subsequently be used by a qualified certificate issuing service provider without this part of the service having to be audited again.

The standard used to assess providers of remote identification services is the recently published standard ETSI TS 119 461. This standard has been developed taking into account the following aspects:

  • It is based on ETSI EN 319 401 which contains common requirements for all trust services.
  • It includes specific requirements for the verification of the identity of natural persons.
  1.  It compiles best practice requirements on how to use certain means to implement the three tasks of “collection of attributes and electronic evidence”, “verification of electronic attributes and evidence’, and ‘binding the requested action (e.g. issuing a certificate) to the identity of the applicant’.
  2. It specifies how identity proofing processes can be constructed by combining means to achieve the basic desired outcome of the identity proofing process.
  • It links to the requirements of section 6.2 of EN 319 411-1 and EN 319 411-2 by indicating ways to fulfil these requirements by remote identification.
  • Although it lays down specific requirements for providing qualified trust services, e.g. issuing of qualified certificates of natural persons, the identity verification service is not a qualified service by itself.

The security requirements of ETSI TS 119 461 cover the most common risks, which fall into two main categories:

  • Forged evidence: An applicant falsely claims an identity using forged means of evidence.
  • Impersonation: An applicant uses valid means of evidence associated with another person.

Potential operational risks and social engineering risks are also taken into account.

Mar 29

A new ETSI standard for the JADES signature

By #eIdAS, Electronic Signatures, JSON Signatures One Comment

ETSI has just unveiled ETSI TS 119 182-1, a specification for JSON Web Electronic Signatures or Seals supported by PKI and public key certificates which authenticates the origin of transactions ensuring that are bound to their originator and access to sensitive resources can be controlled.

This standard is a major achievement for interoperability of digital signatures for a range of applications in today’s digital economy including the banking and financial world where so far, some 4,000 banks were using various private signing procedures for their APIs to secure their online transactions.

Called JAdES, ETSI TS 119 182-1 comes in support of secure communications fulfilling the requirements of the European Union eIDAS Regulation (No 910/2014) for advanced electronic signatures and seals and regulatory requirements for services such as open banking.

This JAdES digital signature specification is based on JSON Web Signature and contains the features already defined in the related ETSI standards for AdES (advanced electronic signature/seal) applied to other data formats including XML, PDF and binary. The standard was developed with contributions from a number of stakeholders including representatives from the banking sector who, through Open Banking Europe, have brought their operational requirements to align European APIs onto one security model.

Nick Pope, Vice-Chair of the ETSI technical committee on Electronic Signatures and Infrastructures (ESI) comments: “The ETSI JAdES standard builds on ETSI’s decades of experience in defining standards for applying digital signatures to a variety of document formats to provide evidence of their authenticity supported by European Regulations. Working with Open Banking Europe, ETSI has developed a solution which matches the requirements of Open Banking APIs whilst assuring the authenticity of financial transactions.”

ETSI TS 119 182-1 can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc. applicable to any electronic communications. The technical features of the specification can therefore be applied to the use of PKI based digital signature technology and in both regulated and general commercial environments.

“As PSD2 and open banking move towards Open Finance standard, APIs are essential not just in Europe but globally. Open Banking Europe is proud to be part of the ETSI ongoing standardization work and bring its operational requirements to solve practical problems,” adds John Broxis, Managing Director, Open Banking Europe.

Electronic commerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an important security component that can be used to protect information, provide trust in electronic business and prevent tampering.

With this new standard ETSI meets the general requirements of the international community to provide trust and confidence in electronic transactions.

Jan 20

Training of EIDAS specialists and certification of auditors

By Certificación de auditores EIDAS, EIDAS Auditor certification, Formación, Training 2 Comments

TCAB (Trust Conformity Assessment Body) is preparing a training event to be held in April 2021, aimed at training specialists in the world of electronic signatures and trust services.

The training will be online and in the afternoons (from 16:00 to 20:00 Spanish time, from 15:00 to 19:00 UTC), to encourage the participation of Latin American students.

It is structured in three levels:

  1. Advanced users of digital trust services (2 days: 12 and 14 April)
  2. Trusted digital service provider (2 days: 19 and 21 April)
  3. Digital Trusted Services Auditor (2 days: 26 and 28 April)

After the complete training, it is possible to opt for an examination that will give access to the professional certification of EIDAS Auditor and subsequently to carry out audits as a junior auditor, in the framework of the conformity assessments developed by TCAB.

There are additional prerequisites to become an auditor such as a security certification, such as CISA, CISM or ISO 27001 auditor.

Prices

  • Level 1 (2 day): 1.000 € +VAT
  • Level 1 + Level 2 (4 days): 2.000 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days): 4.500 € + VAT

The examination fees for professional certification are as follows:

  • Level 1 professional certification “Digital Trust Services Specialist”: 200 € +VAT.
  • Level 2 professional certification “Digital Trust Services Business Professional”: 400 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Level 3 professional certification “Digital Trust Services Assessor”: 600 € +VAT. You must have passed or be pending assessment of the level 2 exam.

The tentative agenda is as follows:

Level 1. Training for developers, service companies and public sector employees.

It provides an introduction to electronic identification and signature systems.

The following topics are covered:

  • Concepts of electronic identification
  • Brief history of cryptography
  • Hash Algorithms
  • Symmetric key cryptography and asymmetric key cryptography
  • Elements of Public Key Infrastructures. RA, OCSP, CA, Root, Final Entity, CRL, Timestamping, digital custody. Trusted lists
  • Structure of the certificates. Standards X.509, X.520
  • SSL TSL. OCSP Stapling
  • Authentication through certificates
  • Electronic signature. Types of electronic signatures
  • Qualified certificates
  • Qualified Signature Creation Devices
  • Device drivers. MS-CAPI and PKCS#11 standards
  • Electronic signature regulations. EIDAS Regulations
  • Electronic signature in public administrations and in the field of justice. Considerations on Law 39/2015 and Law 18/2011.
  • Special advanced signatures. Biometric signatures
  • Server configuration for SSL. How to request certificates

Level 2. Training for Trusted Service Provider professionals

It describes the systems used by LDCPs, the documents to be produced and the security measures in the field of Digital Trust Service Providers and how to prepare for an EIDAS audit

The following topics are covered:

  • Regulations related to identity management. Regulation 1501/2015 and Regulation 1502/2015
  • General regulations for providers: EN 319 401:
    • Risk assessment,
    • Policies and Practices: Trusted Service Practice Statement, Terms and Conditions, Information Security Policy
    • Management and operation of Trusted Electronic Service Providers: Internal organisation (Reliability of the organisation, Segregation of duties), Human resources, Asset management (General requirements, Media management), Access control, Cryptographic controls, Physical and environmental security, Security of operations, Network security, Incident management, Collection of evidential information, Business continuity management, Termination of activities of Trusted Electronic Service Providers and termination plans, Legal compliance.
  • OID. How to apply for OID. How to design an organized structure of OID to facilitate the management of signature policies
  • Certificate profiles. Policy identification. Required OIDs according to CAB Forum, required OIDs according to ETSIT standards. EN 319 412 standards. PSD2 certificates
  • Necessary documentation to be checked when issuing certificates of natural persons, certificates of natural persons representing legal persons, certificates of natural persons employed by public authorities, certificates of legal persons.
  • Tools for parsing and checking the quality of certificates
  • Certificate transparency. Repositories and integration
  • Regulations concerning the issue of certificates: EN 319 411-1. Detailed overview of the content of a Trusted Services Statement of Practice
  • Regulations concerning the issue of qualified certificates within the framework of EIDAS: EN 319 411-2. Detailed tour of the contents of a Statement of Practice for Trusted Services. EIDAS certificates: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QCP-w.
  • Regulations concerning the issue of qualified time stamps within the framework of EIDAS: EN 319 421 and EN 319 422
  • Regulations concerning the provision of qualified services of electronic notifications and certified electronic mail (Qualified Service of Certified Electronic Delivery) in the framework of EIDAS: EN 319 521 and EN 319 531
  • Qualified service for the validation of qualified electronic signatures and qualified electronic seals within the framework of EIDAS: TS 119 101 and EN 319 102-1
  • Qualified electronic signature and qualified electronic seal storage service within the framework of EIDAS: TS 102 573 and EN 319 102-1
  • Civil liability insurance. Contractual and non-contractual liability.
  • Qualified signature creation devices. Application standards for the evaluation of devices: FIPS-140-2, CWA 14167-1, CWA 14167-2, CWA 14169, CWA 14170, EN 419 241-1, EN 419 241-2, EN 419 221-5.
  • Lists of signature creation devices: NIST, Common Criteria Portal, Article 31 List (Compilation of Member States notification on SSCDs and QSCDs). Special procedures of Art. 30-2-b. Validity of devices prior to EIDAS by art. 51.1
  • Aspects to be taken into account for the issuance of website certificates and signing of executable code in CAB Forum contexts: Baseline Requirements, Extended Validation (EV) Guidelines.
  • Criteria for verification of identity in RA activities according to article 24-1-b and 24-1-d Video identification criteria published by SEPBLAC in the framework of Law 10/2010.
  • TSL lists (Trusted Lists). Standard TS 119 612. Information reflected in the lists. Checking the validity of qualified certificates issued in the valid phase of providers whose qualification has been withdrawn.
  • Rules for the use of the European Qualification Mark EIDAS

Level 3. Training for Trusted Services Auditors and Conformity Assessors

It describes the conformity assessment framework, the accreditation bodies, the requirements for conformity assessment bodies and the requirements for auditors.

Students who have attended all 3 levels of training will be able to take a professional certification exam that will qualify them as EIDAS auditors in the Trust Conformity Assessment Body Scheme. Students who pass the exam will gain a level of professional qualification to participate as junior auditors in conformity assessment audits and will be eligible to accompany senior auditors in TCAB audits. After participating in 3 audits they will be qualified as a senior auditor.

In the training the third level  teachers will use English and Spanish as vehicle languages throughout the classes.

The following topics are covered:

  • Evolution of the conformity assessment framework for trusted services. Order of 21 February 2000 approving the Regulation on the accreditation of certification service providers and the certification of certain electronic signature products.
  • EIDAS supervision model. List of Member States’ supervisors.
  • EIDAS accreditation model. List of Member States’ accreditation bodies.
  • EIDAS evaluation model. List of evaluation bodies in the Member States.
  • Requirements for BACs to achieve accreditation. EN 319 403, ISO 17065, Criteria and specific accreditation process for the certification of trusted electronic services regulated by Regulation (EU) No 910/2014 (eIDAS) (ENAC RDE-16 Standard)
  • Recommendations for planning an audit: Documentary review phase, face-to-face phase, identification of evidence, information guidelines to be reflected in the Conformity Assessment Report (CAR).
  • Evaluation procedure. Review of the report, approval of the certification.
  • Monitoring of the entities evaluated. Extension of the scope of the evaluation.
  • General requirements for auditors and prior conditions for accreditation. Ethical principles for auditors. Independence and impartiality criteria.
  • Stakeholders and interaction guidelines.
  • Typical course of an audit project.
  • Recommendation for action and approach during audits.
  • Requirements and outline of evaluation reports.
  • CAR model for auditors
  • Conditions for the Issuance of the Certificate. Phases of the certification process.
  • Rules for the use of the European Qualification Mark EIDAS, and other marks associated with the evaluation, ENAC, CAB,…
  • General structure of certification approval. TCAB organization for the approval of certifications. Committee of interested parties.

For more information call TCAB at +34 91 3880789 or fill the form

TCAB (Trust Conformity Assessment Body) is preparing a training event to be held in April 2021, aimed at training specialists in the world of electronic signatures and trust services.

The training will be online and in the afternoons (from 16:00 to 20:00 Spanish time, from 15:00 to 19:00 UTC), to encourage the participation of Latin American students.

It is structured in three levels:

  1. Advanced users of digital trust services (2 days: 12 and 14 April)
  2. Trusted digital service provider (2 days: 19 and 21 April)
  3. Digital Trusted Services Auditor (2 days: 26 and 28 April)

After the complete training, it is possible to opt for an examination that will give access to the professional certification of EIDAS Auditor and subsequently to carry out audits as a junior auditor, in the framework of the conformity assessments developed by TCAB.

There are additional prerequisites to become an auditor such as a security certification, such as CISA, CISM or ISO 27001 auditor.

Prices

  • Level 1 (2 day): 1.000 € +VAT
  • Level 1 + Level 2 (4 days): 2.000 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days): 4.500 € + VAT

The examination fees for professional certification are as follows:

  • Level 1 professional certification “Digital Trust Services Specialist”: 200 € +VAT.
  • Level 2 professional certification “Digital Trust Services Business Professional”: 400 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Level 3 professional certification “Digital Trust Services Assessor”: 600 € +VAT. You must have passed or be pending assessment of the level 2 exam.

The tentative agenda is as follows:

Level 1. Training for developers, service companies and public sector employees.

It provides an introduction to electronic identification and signature systems.

The following topics are covered:

  • Concepts of electronic identification
  • Brief history of cryptography
  • Hash Algorithms
  • Symmetric key cryptography and asymmetric key cryptography
  • Elements of Public Key Infrastructures. RA, OCSP, CA, Root, Final Entity, CRL, Timestamping, digital custody. Trusted lists
  • Structure of the certificates. Standards X.509, X.520
  • SSL TSL. OCSP Stapling
  • Authentication through certificates
  • Electronic signature. Types of electronic signatures
  • Qualified certificates
  • Qualified Signature Creation Devices
  • Device drivers. MS-CAPI and PKCS#11 standards
  • Electronic signature regulations. EIDAS Regulations
  • Electronic signature in public administrations and in the field of justice. Considerations on Law 39/2015 and Law 18/2011.
  • Special advanced signatures. Biometric signatures
  • Server configuration for SSL. How to request certificates

Level 2. Training for Trusted Service Provider professionals

It describes the systems used by LDCPs, the documents to be produced and the security measures in the field of Digital Trust Service Providers and how to prepare for an EIDAS audit

The following topics are covered:

  • Regulations related to identity management. Regulation 1501/2015 and Regulation 1502/2015
  • General regulations for providers: EN 319 401:
    • Risk assessment,
    • Policies and Practices: Trusted Service Practice Statement, Terms and Conditions, Information Security Policy
    • Management and operation of Trusted Electronic Service Providers: Internal organisation (Reliability of the organisation, Segregation of duties), Human resources, Asset management (General requirements, Media management), Access control, Cryptographic controls, Physical and environmental security, Security of operations, Network security, Incident management, Collection of evidential information, Business continuity management, Termination of activities of Trusted Electronic Service Providers and termination plans, Legal compliance.
  • OID. How to apply for OID. How to design an organized structure of OID to facilitate the management of signature policies
  • Certificate profiles. Policy identification. Required OIDs according to CAB Forum, required OIDs according to ETSIT standards. EN 319 412 standards. PSD2 certificates
  • Necessary documentation to be checked when issuing certificates of natural persons, certificates of natural persons representing legal persons, certificates of natural persons employed by public authorities, certificates of legal persons.
  • Tools for parsing and checking the quality of certificates
  • Certificate transparency. Repositories and integration
  • Regulations concerning the issue of certificates: EN 319 411-1. Detailed overview of the content of a Trusted Services Statement of Practice
  • Regulations concerning the issue of qualified certificates within the framework of EIDAS: EN 319 411-2. Detailed tour of the contents of a Statement of Practice for Trusted Services. EIDAS certificates: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QCP-w.
  • Regulations concerning the issue of qualified time stamps within the framework of EIDAS: EN 319 421 and EN 319 422
  • Regulations concerning the provision of qualified services of electronic notifications and certified electronic mail (Qualified Service of Certified Electronic Delivery) in the framework of EIDAS: EN 319 521 and EN 319 531
  • Qualified service for the validation of qualified electronic signatures and qualified electronic seals within the framework of EIDAS: TS 119 101 and EN 319 102-1
  • Qualified electronic signature and qualified electronic seal storage service within the framework of EIDAS: TS 102 573 and EN 319 102-1
  • Civil liability insurance. Contractual and non-contractual liability.
  • Qualified signature creation devices. Application standards for the evaluation of devices: FIPS-140-2, CWA 14167-1, CWA 14167-2, CWA 14169, CWA 14170, EN 419 241-1, EN 419 241-2, EN 419 221-5.
  • Lists of signature creation devices: NIST, Common Criteria Portal, Article 31 List (Compilation of Member States notification on SSCDs and QSCDs). Special procedures of Art. 30-2-b. Validity of devices prior to EIDAS by art. 51.1
  • Aspects to be taken into account for the issuance of website certificates and signing of executable code in CAB Forum contexts: Baseline Requirements, Extended Validation (EV) Guidelines.
  • Criteria for verification of identity in RA activities according to article 24-1-b and 24-1-d Video identification criteria published by SEPBLAC in the framework of Law 10/2010.
  • TSL lists (Trusted Lists). Standard TS 119 612. Information reflected in the lists. Checking the validity of qualified certificates issued in the valid phase of providers whose qualification has been withdrawn.
  • Rules for the use of the European Qualification Mark EIDAS

Level 3. Training for Trusted Services Auditors and Conformity Assessors

It describes the conformity assessment framework, the accreditation bodies, the requirements for conformity assessment bodies and the requirements for auditors.

Students who have attended all 3 levels of training will be able to take a professional certification exam that will qualify them as EIDAS auditors in the Trust Conformity Assessment Body Scheme. Students who pass the exam will gain a level of professional qualification to participate as junior auditors in conformity assessment audits and will be eligible to accompany senior auditors in TCAB audits. After participating in 3 audits they will be qualified as a senior auditor.

In the training the third level  teachers will use English and Spanish as vehicle languages throughout the classes.

The following topics are covered:

  • Evolution of the conformity assessment framework for trusted services. Order of 21 February 2000 approving the Regulation on the accreditation of certification service providers and the certification of certain electronic signature products.
  • EIDAS supervision model. List of Member States’ supervisors.
  • EIDAS accreditation model. List of Member States’ accreditation bodies.
  • EIDAS evaluation model. List of evaluation bodies in the Member States.
  • Requirements for BACs to achieve accreditation. EN 319 403, ISO 17065, Criteria and specific accreditation process for the certification of trusted electronic services regulated by Regulation (EU) No 910/2014 (eIDAS) (ENAC RDE-16 Standard)
  • Recommendations for planning an audit: Documentary review phase, face-to-face phase, identification of evidence, information guidelines to be reflected in the Conformity Assessment Report (CAR).
  • Evaluation procedure. Review of the report, approval of the certification.
  • Monitoring of the entities evaluated. Extension of the scope of the evaluation.
  • General requirements for auditors and prior conditions for accreditation. Ethical principles for auditors. Independence and impartiality criteria.
  • Stakeholders and interaction guidelines.
  • Typical course of an audit project.
  • Recommendation for action and approach during audits.
  • Requirements and outline of evaluation reports.
  • CAR model for auditors
  • Conditions for the Issuance of the Certificate. Phases of the certification process.
  • Rules for the use of the European Qualification Mark EIDAS, and other marks associated with the evaluation, ENAC, CAB,…
  • General structure of certification approval. TCAB organization for the approval of certifications. Committee of interested parties.

For more information call TCAB at +34 91 3880789 or fill the form

TCAB (Trust Conformity Assessment Body) is preparing a training event to be held in April 2021, aimed at training specialists in the world of electronic signatures and trust services.

The training will be online and in the afternoons (from 16:00 to 20:00 Spanish time, from 15:00 to 19:00 UTC), to encourage the participation of Latin American students.

It is structured in three levels:

  1. Advanced users of digital trust services (2 days: 12 and 14 April)
  2. Trusted digital service provider (2 days: 19 and 21 April)
  3. Digital Trusted Services Auditor (2 days: 26 and 28 April)

After the complete training, it is possible to opt for an examination that will give access to the professional certification of EIDAS Auditor and subsequently to carry out audits as a junior auditor, in the framework of the conformity assessments developed by TCAB.

There are additional prerequisites to become an auditor such as a security certification, such as CISA, CISM or ISO 27001 auditor.

Prices

  • Level 1 (2 day): 1.000 € +VAT
  • Level 1 + Level 2 (4 days): 2.000 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days): 4.500 € + VAT

The examination fees for professional certification are as follows:

  • Level 1 professional certification “Digital Trust Services Specialist”: 200 € +VAT.
  • Level 2 professional certification “Digital Trust Services Business Professional”: 400 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Level 3 professional certification “Digital Trust Services Assessor”: 600 € +VAT. You must have passed or be pending assessment of the level 2 exam.

The tentative agenda is as follows:

Level 1. Training for developers, service companies and public sector employees.

It provides an introduction to electronic identification and signature systems.

The following topics are covered:

  • Concepts of electronic identification
  • Brief history of cryptography
  • Hash Algorithms
  • Symmetric key cryptography and asymmetric key cryptography
  • Elements of Public Key Infrastructures. RA, OCSP, CA, Root, Final Entity, CRL, Timestamping, digital custody. Trusted lists
  • Structure of the certificates. Standards X.509, X.520
  • SSL TSL. OCSP Stapling
  • Authentication through certificates
  • Electronic signature. Types of electronic signatures
  • Qualified certificates
  • Qualified Signature Creation Devices
  • Device drivers. MS-CAPI and PKCS#11 standards
  • Electronic signature regulations. EIDAS Regulations
  • Electronic signature in public administrations and in the field of justice. Considerations on Law 39/2015 and Law 18/2011.
  • Special advanced signatures. Biometric signatures
  • Server configuration for SSL. How to request certificates

Level 2. Training for Trusted Service Provider professionals

It describes the systems used by LDCPs, the documents to be produced and the security measures in the field of Digital Trust Service Providers and how to prepare for an EIDAS audit

The following topics are covered:

  • Regulations related to identity management. Regulation 1501/2015 and Regulation 1502/2015
  • General regulations for providers: EN 319 401:
    • Risk assessment,
    • Policies and Practices: Trusted Service Practice Statement, Terms and Conditions, Information Security Policy
    • Management and operation of Trusted Electronic Service Providers: Internal organisation (Reliability of the organisation, Segregation of duties), Human resources, Asset management (General requirements, Media management), Access control, Cryptographic controls, Physical and environmental security, Security of operations, Network security, Incident management, Collection of evidential information, Business continuity management, Termination of activities of Trusted Electronic Service Providers and termination plans, Legal compliance.
  • OID. How to apply for OID. How to design an organized structure of OID to facilitate the management of signature policies
  • Certificate profiles. Policy identification. Required OIDs according to CAB Forum, required OIDs according to ETSIT standards. EN 319 412 standards. PSD2 certificates
  • Necessary documentation to be checked when issuing certificates of natural persons, certificates of natural persons representing legal persons, certificates of natural persons employed by public authorities, certificates of legal persons.
  • Tools for parsing and checking the quality of certificates
  • Certificate transparency. Repositories and integration
  • Regulations concerning the issue of certificates: EN 319 411-1. Detailed overview of the content of a Trusted Services Statement of Practice
  • Regulations concerning the issue of qualified certificates within the framework of EIDAS: EN 319 411-2. Detailed tour of the contents of a Statement of Practice for Trusted Services. EIDAS certificates: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QCP-w.
  • Regulations concerning the issue of qualified time stamps within the framework of EIDAS: EN 319 421 and EN 319 422
  • Regulations concerning the provision of qualified services of electronic notifications and certified electronic mail (Qualified Service of Certified Electronic Delivery) in the framework of EIDAS: EN 319 521 and EN 319 531
  • Qualified service for the validation of qualified electronic signatures and qualified electronic seals within the framework of EIDAS: TS 119 101 and EN 319 102-1
  • Qualified electronic signature and qualified electronic seal storage service within the framework of EIDAS: TS 102 573 and EN 319 102-1
  • Civil liability insurance. Contractual and non-contractual liability.
  • Qualified signature creation devices. Application standards for the evaluation of devices: FIPS-140-2, CWA 14167-1, CWA 14167-2, CWA 14169, CWA 14170, EN 419 241-1, EN 419 241-2, EN 419 221-5.
  • Lists of signature creation devices: NIST, Common Criteria Portal, Article 31 List (Compilation of Member States notification on SSCDs and QSCDs). Special procedures of Art. 30-2-b. Validity of devices prior to EIDAS by art. 51.1
  • Aspects to be taken into account for the issuance of website certificates and signing of executable code in CAB Forum contexts: Baseline Requirements, Extended Validation (EV) Guidelines.
  • Criteria for verification of identity in RA activities according to article 24-1-b and 24-1-d Video identification criteria published by SEPBLAC in the framework of Law 10/2010.
  • TSL lists (Trusted Lists). Standard TS 119 612. Information reflected in the lists. Checking the validity of qualified certificates issued in the valid phase of providers whose qualification has been withdrawn.
  • Rules for the use of the European Qualification Mark EIDAS

Level 3. Training for Trusted Services Auditors and Conformity Assessors

It describes the conformity assessment framework, the accreditation bodies, the requirements for conformity assessment bodies and the requirements for auditors.

Students who have attended all 3 levels of training will be able to take a professional certification exam that will qualify them as EIDAS auditors in the Trust Conformity Assessment Body Scheme. Students who pass the exam will gain a level of professional qualification to participate as junior auditors in conformity assessment audits and will be eligible to accompany senior auditors in TCAB audits. After participating in 3 audits they will be qualified as a senior auditor.

In the training the third level  teachers will use English and Spanish as vehicle languages throughout the classes.

The following topics are covered:

  • Evolution of the conformity assessment framework for trusted services. Order of 21 February 2000 approving the Regulation on the accreditation of certification service providers and the certification of certain electronic signature products.
  • EIDAS supervision model. List of Member States’ supervisors.
  • EIDAS accreditation model. List of Member States’ accreditation bodies.
  • EIDAS evaluation model. List of evaluation bodies in the Member States.
  • Requirements for BACs to achieve accreditation. EN 319 403, ISO 17065, Criteria and specific accreditation process for the certification of trusted electronic services regulated by Regulation (EU) No 910/2014 (eIDAS) (ENAC RDE-16 Standard)
  • Recommendations for planning an audit: Documentary review phase, face-to-face phase, identification of evidence, information guidelines to be reflected in the Conformity Assessment Report (CAR).
  • Evaluation procedure. Review of the report, approval of the certification.
  • Monitoring of the entities evaluated. Extension of the scope of the evaluation.
  • General requirements for auditors and prior conditions for accreditation. Ethical principles for auditors. Independence and impartiality criteria.
  • Stakeholders and interaction guidelines.
  • Typical course of an audit project.
  • Recommendation for action and approach during audits.
  • Requirements and outline of evaluation reports.
  • CAR model for auditors
  • Conditions for the Issuance of the Certificate. Phases of the certification process.
  • Rules for the use of the European Qualification Mark EIDAS, and other marks associated with the evaluation, ENAC, CAB,…
  • General structure of certification approval. TCAB organization for the approval of certifications. Committee of interested parties.

For more information call TCAB at +34 91 3880789 or fill the form