@@ -147,11 +147,10 @@ In the present document \"**should**\", \"**should not**\", \"**may**\", \"**nee
# Introduction
<br/>
# 1 Scope
*Editor's note: This section's is stable.*
The present document specifies requirements and assessment criteria covering all elements defined in CRA Annex I Part 1 and Part 2 for Public key infrastructure (PKI) and digital certificate issuance software.
@@ -162,6 +161,7 @@ Different uses cases represent different deployment with different sets of archi
It covers main PKI able to support the management of public keys able to support authentication, encryption, integrity or non-repudiation services including public/open, private, C-ITS and machine-to-machine PKIs.
# 2 References
*Editor's note: This section's structure is stable. More references are to be added.*
## 2.1 Normative references
@@ -189,6 +189,7 @@ The following referenced documents may be useful in implementing an ETSI deliver
-<spanid="_ref_i.2"></span><aname="_ref_i.2">[i.2]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)\"
# 3 Definition of terms, symbols and abbreviations
*Editor's note: This section's structure is stable. Its content is to be further refined.*
## 3.1 Terms
@@ -245,25 +246,13 @@ For the purposes of the present document, the [following] abbreviations apply:
> - NOTE: This section's structure is built upon CEN/CLC JTC13 PT01's deliverable and might require restructuring based on its progress.
## 4.1 Intended purpose of use
### 4.1.1 In scope
The present clause describes product contexts for products with digital elements used as part of a public key infrastructure (PKI) that manage the validation, creation, issuance, distribution, status publication, renewal or revocation of digital certificates, or the generation, storage, escrow, exchange, destruction or rotation of cryptographic keys associated with such digital certificates.
Those products can be used in diffe
### 4.1.2 Out of scope
PKI-as-a-service and software-as-a-service are out of scope of the present document.
Security requirements for secure cryptographic devices are out of scope of the present document.
Commission Implementing Regulation (EU) 2024/2690 for the application Directive (EU) 2022/2555 (NIS2) on cybersecurity measures applies to managed security service providers which use PKI techniques. The software components of a managed security service provider compliant to standardised PKI certificate policies, which incorporate the requirements of Commission Implementing Regulation (EU) 2024/2690, can be assumed to meet the requirements of the CRA and hence need not apply the requirements specified in the present document.
*Editor's note: This section's is stable.*
The present clause describes product contexts for products with digital elements used as part of a public key infrastructure (PKI) that manage the validation, creation, issuance, distribution, status publication, renewal or revocation of digital certificates, or the generation, storage, escrow, exchange, destruction or rotation of cryptographic keys associated with such digital certificates.
### 4.2 Main functionalities
_Explain the overall architecture and relationship among the parts of the products. Use diagrams if that is helpful._
*Editor's note: This section's structur is stable. The content is not stable.*
Products with digital elements used as part of a public key cryptography scheme to manage asymmetric cryptographic keys and digital certificates, including their creation, issuance, distribution, validation, renewal, storage or revocation. This category includes but is not limited to key management systems, digital certificate management systems and online certificate status protocol responders
@@ -310,6 +299,7 @@ PKI products also support:
-**System operator account:** authorised to operate the PKI services.
## 4.3 Architecture
*Editor's note: This section's structur is stable. The content is not stable.*
Figure 4.1 gives a high-level overview of a generic and illustrative PKI architecture.
@@ -319,6 +309,7 @@ Figure 4.1 gives a high-level overview of a generic and illustrative PKI archite
## 4.4 Operationnal Environment
*Editor's note: This section's structur is stable. The content is not stable.*
The enterprise shall have a production system for issuing certificates and can be expected to have a separate test system for checking configuration changes and software updates before they are deployed.
@@ -352,8 +343,10 @@ However, system operators might have limited experience running critical compone
## 4.5 Distribution of security functions
*Editor's note: This section's is still to be done.*
## 4.6 Users
*Editor's note: This section's structur is stable. The content has not been reviewed.*
PKI products users' roles and responsibilities can be:
@@ -416,13 +409,14 @@ PKIs can take many forms and this standard doesn't aim to cover all possible PKI
- Private PKI for large enterprise or critical sectors enterprise as defined by NIS2 directive
- Open or public PKI for Certficate Authorities (CA)
- C-ITS PKI
- Machine to machine
Security Profiles are defined for those specific use cases. Those profiles are the combination of the security and assessment requirements applicable to each use cases. In section 5 requirements are associated to an applicability conditions which depends on the use cases risks analysis as defined in Annex C.
Products not directly matching those use cases have to refine one of those profile to adapt them to there own risk analaysis.
In the **SME product context**, a single instance of a self-contained PKI product shall typically support all of the required PKI functionality.
In the **Private PKI product context**, a single instance of a self-contained PKI product shall typically support all of the required PKI functionality.
However, some component PKI services might not be necessary or could be supported through generic enterprise products and services.
@@ -435,6 +429,7 @@ EXAMPLE 3: The dissemination service is not needed as an enterprise directory se
### 4.7.1 Private PKI for none critical entities
*Editor's note: This section's structur is stable. The content is not stable.*
#### 4.7.1.1 Assets
##### 4.7.1.1.1 System administration
@@ -736,6 +731,7 @@ The PKI product can support limited revocation management services even if it do
</div>
## 4.7.2 Critical entities and public CA PKI software
*Editor's note: This section's structur is stable. The content is not stable.*
### 4.7.2.1 Use
@@ -871,6 +867,8 @@ The CA shall enforce separation between trusted roles with conflicting responsib
### 4.7.3 C-ITS PKI
*Editor's note: This section's structur is stable. The content is not stable.*
A Public Key Infrastructure (PKI) dedicated to Communicating Intelligent Transport Systems (C-ITS) is used to manage ITS related certificates to enable deployment of security functions over the different components of ITS systems, mainly signature and encryption of ITS messages. The PKI is responsible for the issuance, revocation, and overall management of certificates and certificate status information.
The PKI architecture and its functionalities considered here are the one standardized by the ETSI in ETSI TS 102 940 and ETSI TS 102 941.
The C-ITS PKI shall provide the different services required by the RCA, EC and AA roles defined by the European C-ITS trust model. In the figure we also identify the role of a Misbehaviour Authority (MA): entity responsible to receive misbehaviour reports coming from ITS-S identifying other misbehaving ITS and emits action requests to the other C-ITS PKI authorities to react to misbehaving behaviour of ITS-S. The current PP does not define requirement for the MA services since the MA communication and services are not yet fully define and standardized. However the PP should be updated when it is.
@@ -1005,7 +1003,12 @@ The considered threats for the C-ITS PKI are illustrated in the following figure
<br/>
### 4.7.4 Machine to Machine PKI
*Editor's note: This section is to be done*
# 5 Requirements for PKI products
*Editor's note: This section's structur is note stable. The content is not stable.*
## 5.1 Auditing
- REFERENCE: REQ-5.1-01
@@ -1330,6 +1333,7 @@ information shall be recorded, after a proper verification.
# 6 Conformity Assessment
*Editor's note: This section's structur is stable. The content is not stable.*
## 6.1 Auditing
@@ -1945,6 +1949,29 @@ b) verify the OCSP response to match the constraints of the OCSP response profil
# Annex A Mapping with essential requirements of the CRA
No A unique identifier for one row of the table which may be used to identify a requirement.
Description A textual reference to the requirement.
Requirements of Regulation
- Identification of article(s) defining the requirement in the Regulation.
Clause(s) of the present document
- Identification of clause(s) defining the requirement in the present document unless another document is referenced explicitly.
Requirement Conditionality:
- U/C Indicates whether the requirement is unconditionally applicable (U) or is conditional upon the manufacturer's claimed functionality of the equipment (C). Condition Explains the conditions when the requirement is or is not applicable for a requirement which is classified "conditional".
Presumption of conformity stays valid only as long as a reference to the present document is maintained in the list published in the Official Journal of the European Union. Users of the present document should consult frequently the latest list published in the Official Journal of the European Union.
Other Union legislation may be applicable to the product(s) falling within the scope of the present document.
# Annex B Mappings
## B.1 Mapping of technical security requirements and assessment requirements
