Update file EN-304-624.md

PKIs can take many forms and this standard doesn't aim to cover all possible PKI's service implementations and the associated PKI product required for these implementations. The uses cases concidered are:

- Private PKI for none critical sectors small or medium enterprise as defined by NIS2 directive

- Private PKI for large enterprise or critical sectors enterprise as defined by NIS2 directive

- Open or public PKI for Certficate Authorities (CA) 

- C-ITS PKI

- Machine to machine 

- UC1: Private PKI for none critical sectors small or medium enterprise

- UC2: Private PKI for large enterprise or critical sectors enterprise as defined by NIS2 directive

- UC3: Open or public PKI for Certficate Authorities (CA) 

- UC4: C-ITS PKI

- UC5: Machine to machine 

Security Profiles are defined for those specific use cases. Those profiles are the combination of the security and assessment requirements applicable to each use cases. In section 5 requirements are associated to an applicability conditions which depends on the use cases risks analysis as defined in Annex C.

- REFERENCE: REQ-5.3-03

  - REQUIREMENT: The PKI shall implement a certificate profile and shall ensure that issued certificates are consistent with that profile.

  - RATIONALE: Only valid certifcates as defined by the PKI servide provider policies shall be generated by the PKI. This covers threats: T.AuthorizationValidationProcessTampering

  - RATIONALE: Only valid certifcates as defined by the PKI servide provider policies shall be generated by the PKI. This covers threats: T_GEN01 to T_GEN08 T.AuthorizationValidationProcessTampering, T.RegistrationTampering.

  - APPLICABILITY: All use cases where the PKI has a certificate generation service.

    c) certificatePolicies.

  - RATIONALE:

  - RATIONALE: Only valid certifcates as defined by the PKI servide provider policies shall be generated by the PKI. This covers threats: T_GEN01 to T_GEN08 T.AuthorizationValidationProcessTampering, T.RegistrationTampering.

  - APPLICABILITY: All use cases where the PKI has a certificate generation service, issuing public-key certificates.

    b) keyEncipherment, dataEncipherment, keyAgreement.

  - RATIONALE: The same public key may not be used for signature verification, and encryption or key agreement.

  - RATIONALE: The same public key may not be used for signature verification, and encryption or key agreement. Only valid certifcates as defined by the PKI servide provider policies shall be generated by the PKI. This covers threats: T_GEN01 to T_GEN08 T.AuthorizationValidationProcessTampering, T.RegistrationTampering.

  - APPLICABILITY: All use cases where the PKI has a certificate generation service, issuing public-key certificates.

corresponds to the public key in the certificate request before issuing a certificate, unless the public/private key pair

was generated by the PKI and never left the certificate issuance service.

  - RATIONALE: A subject bringing forth his own public key should prove ownership of the public key.

The PKI may generate a key pair and associated public key, and later communicate the private key to the correct subject in a secure manner.

This may notably be done for other components of the PKI itself needing public-key certificates.

The same private key should not be owned by distinct subjects, including other services of the PKI; if the private key was generated by the PKI but already provided to the subject once, the subject can and should prove its ownership.

The PKI may generate a key pair and associated public key, and later communicate the private key to the correct subject in a secure manner. This may notably be done for other components of the PKI itself needing public-key certificates. The same private key should not be owned by distinct subjects, including other services of the PKI; if the private key was generated by the PKI but already provided to the subject once, the subject can and should prove its ownership. This covers threats: T_GEN01 to T_GEN08 T.AuthorizationValidationProcessTampering, T.RegistrationTampering.

  - APPLICABILITY: All use cases where the PKI has a certificate generation service, issuing public-key certificates.

    b) OCSP responses to OCSP requests as defined by and subject to the requirements of [RFC 6960].

  - RATIONALE:

  - APPLICABILITY: Where the PKI has a certificate status service.

  - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by [RFC 6960]. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: UC1, UC2 and UC3.

- REFERENCE: REQ-5.4-02

  - REQUIREMENT: The PKI shall implement a CRL profile and shall ensure that issued CRls are consistent with that profile.

  - RATIONALE:

  - APPLICABILITY: Where the PKI has a certificate status service, issuing CRLs.

  - RATIONALE:  The PKI shall provide accurate and integrity protected certificates statues using the standardised CRL format ensuring integrity of revocation list and conformity to the PKI service provider chosen policies. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: Where the PKI has a certificate status service, issuing CRLs: UC1 and UC2.

- REFERENCE: REQ-5.4-03

  - REQUIREMENT: The PKI shall require the Administrator to specify the set of acceptable values for the following fields and extensions:

    c) nextUpdate.

  - RATIONALE:

  - RATIONALE:The PKI shall provide accurate and integrity protected certificates statues using the standardised CRL format ensuring integrity of revocation list and conformity to the PKI service provider chosen policies. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: Where the PKI has a certificate status service, issuing CRLs: UC1 and UC2.

  - NOTE: The issuerAltName may be absent from the profile if issued certificates do not use it.

  - EXAMPLES:

  - APPLICABILITY: Where the PKI has a certificate status service, issuing CRLs.

- REFERENCE: REQ-5.4-04

  - REQUIREMENT: The PKI shall implement an OCSP response profile and shall ensure that issued OCSP responses are consistent with that profile.

  - RATIONALE:

  - RATIONALE: he PKI shall provide accurate certificates statusas defined by the service provider chosen policies. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: Where the PKI has a certificate status service, issuing CRLs: UC1 and UC2.

  - APPLICABILITY: Where the PKI has a certificate status service, issuing OCSP responses.

- REFERENCE: REQ-5.4-05

  - REQUIREMENT: The PKI shall require the Administrator to specify the set of acceptable values for the responseType field.

  - RATIONALE:

  - APPLICABILITY: Where the PKI has a certificate status service, issuing OCSP responses, not restricted to the basic response type.

  - RATIONALE: he PKI shall provide accurate certificates statusas defined by the service provider chosen policies. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: Where the PKI has a certificate status service, issuing OCSP responses, not restricted to the basic response type: UC1 and UC2.

- REFERENCE: REQ-5.4-06

  - REQUIREMENT: The PKI shall require the Administrator to specify the set of acceptable values for the responderID field.

  - RATIONALE:

  - RATIONALE: The PKI shall provide accurate certificates statusas defined by the service provider chosen policies. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: Where the PKI has a certificate status service, issuing OCSP responses of the basic response type: UC1 and UC2.

  - NOTE: An OCSP responder is required to be capable to emit OCSP responses of the basic type by [RFC 6960].

  - EXAMPLES:

  - APPLICABILITY: Where the PKI has a certificate status service, issuing OCSP responses of the basic response type.

- REFERENCE: 

  - REQUIREMENT:

  - RATIONALE:

  - APPLICABILITY:

## 5.5 Certificate renewal

- REFERENCE: REQ-5.5-01

  - REQUIREMENT: Requirement GEN-6.3.6-10 contained in ETSI EN 319 411-1 shall apply.

  - NOTE: The term "sufficient" in the requirement means that the security is to be evaluated according to the current state of the art.

## 5.6 Certificate re-key

- REFERENCE: REQ-5.6-01

  - REQUIREMENT: In case of certificate re-key, if any certified names or attributes have changed, the related registration

## 5.7 Certificate modification

- REFERENCE: REQ-5.7-01

  - REQUIREMENT: In case of certificate modification, if any certified names or attributes have changed, the related registration

information shall be recorded, after a proper verification.

  - REQUIREMENT: In case of certificate modification, if any certified names or attributes have changed, the related registration information shall be recorded, after a proper verification.

## 5.8 Certificate suspension and revocation

## 5.9 Certificate status services

- REFERENCE: REQ-5.9-01

  - REQUIREMENT: Requirements CSS-6.3.10-03, CSS-6.3.10-04 and CSS-6.3.10-05 contained in ETSI EN 319 411-1 (V1.5.1) shall apply.

   - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by [RFC 6960]. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: UC1, UC2 and UC3.

- REFERENCE: REQ-5.9-02

  - REQUIREMENT: If a PKI supports multiple methods to provide revocation status, the information provided by all services shall be consistent over time taking into account different delays in updating the status information for all the methods.

   - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by [RFC 6960]. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: UC1, UC2 and UC3.

  - NOTE: This is aligned with requirement CSS-6.3.10-09 contained in ETSI EN 319 411-1 (V1.5.1)