Index of documents supporting the Grant of Approval to
Trustis’ Certificate Factory service.
| Base Approval Profile | tSd0111 | 3.00 |
| Approval Profile for Certificate Generation | tSd0104 | 3.01 |
| Approval Profile for Certificate Dissemination | tSd0105 | 3.01 |
| Approval Profile for Certificate Status Management | tSd0106 | 3.01 |
What the tScheme Approved Service Mark signifies
When a trust service carries the tScheme Mark, you can be secure in the knowledge that:
For each service, tScheme approval is regularly reviewed and may be withdrawn.
This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.
Approved Service - Service Description
Certificate Factory
Certificate Factory provides the major components of a PKI based digital Certification System. It is designed to allow Certificate Factory customers to specifically select the features of the PKI they wish to outsource. Based on the principle of Flexible PKI it offers the customers the opportunity to achieve a fully bespoke PKI over which they have full control at very low cost.
Once integrated with the customer’s own services, the Certificate Factory becomes part of their PKI, providing certificate services to certificate users and relying parties in a transparent and seamless fashion.
Certificate Factory encompasses the most important security aspects of PKI provision ensuring all the core processes and policies are carefully defined and implemented to prescribed standards of quality and security. Certificate Factory provides Certificate Policies, Certification Practice Statements and all the supporting documentation essential to a properly operated PKI.
The bespoke nature of Certificate Factory allows flexibility in each particular implementation to suit customer requirements; typically the customer will complement Certificate Factory with registration services to provide the levels of authentication it requires.
Trust Service Centre
The Certificate Factory is a component of the Trustis ‘Trust Service Centre’ (TSC) and is housed in the
Armoury, a high security facility on Greenham Common, a former US missile base.
The TSC is operated to very high security standards; security reviews; audits and assessments are conducted on a regular basis to back up our highly controlled technical and security operations. The TSC is also exposed to external audit and assessment. TSC operations are certified compliant with ISO 27001 by an independent accrediting body.
The Structure of Certificate Factory PKI
Those parts of a client’s PKI which demand very high physical and computer system security are hosted and operated
exclusively on behalf of that customer from the TSC.
Some technical components may be deployed to the customer’s operational environment. The Trustis Flexible PKI Model allows allocation of responsibility and functions between a number of business entities, and it is this approach that allows the client considerable control and ownership of the PKI, because they can operate the business processes that support their businesses activity.
At the top of the hierarchy is the Primary Issuing Authority (PIA) or root CA. This is the entity that is the source of the trust that can be placed in the PKI and as such is very strongly protected. This ensures the Trust and assurance of the PKI is wholly under the control of the customer. This protected off-line CA is built within the Trustis secure facility and is managed and controlled under very rigorous policy and procedure. Most of the time the PIA is dormant and its transfer into an active state can only be performed with the concurrence and participation of the client. To enhance security, the PIA is never network accessible. Customers have their own dedicated PIA; this allows total control and ownership of the trust system in its entirety, it is this that allows the PKI to be configured to satisfy the client’s particular requirements.
Certificate Manufacture is done by the Issuing Authority (IA) or operational CA. This entity is housed in the TSC and generates the signed certificates, and creates the certificate status information that is used to verify the validity of an end-entity’s certificate. Again, every client has their own dedicated IA and it is through the IA that the client maintains control; it is this that allows the PKI to issue bespoke certificates bearing the client’s name.
Certificate discovery can be supported in a number of ways, including web sites, X.500 directories or other directory or database systems. The customer may optionally wish to undertake certificate promulgation and other publishing requirements coordinated with their general operations and business processes.
Other components of the client’s PKI are hosted at the client’s site and do not form part of the Certificate Factory offering. The most prominent of these is the Registration Authority (RA), which communicates with the client’s IA to request the signing of end-entity certificates.
Participants in the electronic trust services industry strive: