2

In order to validate if a trust service is qualified, one should search for the public key in a member state trusted list (TL).

In order to validate if a member state TL is authentic, one should search for the public key that signed the member state TL in the EU List of Trusted Lists.

What is the process to verify that the EU List of Trusted Lists is authentic?

In its current version (sequence number 208) it is signed by a public key issued to Maarten Joris Ottoy by Luxtrust. How should one verify that Mr Joris has the authorization to sign the List of Trusted Lists?

Victor
  • 373
  • 1
  • 10

2 Answers2

3

The authenticity and integrity of the machine processable version of the LOTL is ensured through a digital signature supported by a certificate which can be authenticated through a publication in the Official Journal of the European Union (OJEU). Since end June 2016, the LOTL signing certificates and the location of the LOTL XML file are contained in the LOTL itself, as detailed in the EU OJ publication OJ C 233 [i.]. This enables relying parties to detect in a machine processable way a change in the LOTL signing certificates and/or in its location. Any such future change will be reflected in the publication of a new instance of the LOTL which will include a new URL and/or a modified set of digital certificates for relying parties to use when authenticating the LOTL. Starting at the date of issuance of the LOTL in which this new information is first published, the new URL and/or a modified set of digital certificates can be used by relying parties to locate and authenticate the LOTL in replacement of the formerly issued information. It is however always possible to the European Commission to publish a new publication in the OJEU, for instance as a temporary response to an emergency situation requiring the immediate replacement of all the digital certificates of the LOTL.

The source is ETSI work document: "Electronic Signatures and Infrastructures (ESI); Signature policies; Part 4: Signature validation policy for European qualified electronic signatures/seals using trusted lists"

FaST4
  • 156
  • 4
2

A high-level process for authenticating and trusting a Member State Trusted List (TL) is defined in Annex A of ETSI TS 119 612 v2.1.1 (this standard is prescribed in eIDAS via CID 2015-1505).

The source of trust of the TLs is the EU List of the Trusted Lists (LOTL). And the source of trust for the LOTL is the Official Journal of the European Union (OJEU). Initially, signing certificates of the LOTL are defined in https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2016.233.01.0001.01.ENG.

Further signing certificates of the LOTL are defined in the LOTL itself, in LOTL publications named "pivot LOTLs". All pivot LOTLs are present in the SchemeInformationURI of the current LOTL. Currently, these pivot LOTLs are:

In these pivot LOTLs, the signing certificates (i.e. ServiceDigitalIdentity) of the LOTL are defined in the OtherTSLPointer for which the SchemeTerritory is EU (i.e. the pointer to the LOTL).

Therefore, when trusting the signing certificates first defined in the OJEU, you will be able to trust signature on pivot LOTL 172. Then, when trusting signing certificates defined in pivot LOTL 172, you will be able to trust signature on pivot LOTL 191. Same for signing certificates defined in LOTL 191 to trust signature on pivot LOTL 226. Finally, with signing certificates defined in LOTL 226, you will trust the signature on the current LOTL (i.e. https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml).

This "pivot LOTL" mechanism is introduced in the above OJEU publication (where compiled list = LOTL):

Any future change in the ‘secure pointer to the compiled list’ shall likewise be reflected in the publication of a new instance of the ‘compiled list’ which will include a new URL or a modified set of digital certificates for relying parties to use when authenticating the ‘compiled list’

Scxl3
  • 21
  • 1