@@ -295,7 +295,7 @@ EXAMPLE 3: Software used to issue certificates for securing email sent within th
#### 4.2.2.1 Services
The product supports one or more of the following component services (see ETSI EN 319 411-1):
The PKI product will support one or more of the following component services (see ETSI EN 319 411-1):
-<strong>Registration service:</strong> registers and receives certificate requests from subscribers; verifies the identity and, if applicable, attributes of a subject; and passes verified certificate requests to the certificate generation service.
@@ -309,11 +309,11 @@ NOTE 3: This service can use a secure cryptographic device to generate, store an
NOTE 4: This service can include generation of subject keys and, if used for decryption, storage of subject private keys to allow key recovery.
-<strong>Dissemination service:</strong> disseminates signed certificates to subscribers; and, if applicable, stores and makes them available to relying parties.
-<strong>Dissemination service:</strong> distributes signed certificates to subscribers; and, if applicable, stores and makes them available to relying parties.
NOTE 5: This service can disseminate subject private keys to subscribers if the subject keys are generated by the certificate generation service.
NOTE 5: This service can also distribute subject private keys to subscribers if the subject keys are generated by the certificate generation service.
-<strong>Revocation management service:</strong> processes requests and reports relating to revocation to determine the necessary action to be taken; and provides updates to the certificate status service.
-<strong>Revocation management service:</strong> processes revocation requests and reports to determine the necessary action to be taken; and provides updates to the certificate status service.
-<strong>Certificate status service:</strong> provides certificate revocation status information to relying parties.
@@ -321,9 +321,9 @@ Each component service will require configuration and maintenance by system admi
#### 4.2.2.2 Logging
The product will support logging of security events such as account access attempts, product configuration changes, and system warnings or errors.
The PKI product will support logging of security events; for example, account access attempts, product configuration changes, and system warnings or errors.
The product will typically support some logging of events relevant to each of the component service it provides. For example:
The PKI product will typically support some logging of events relevant to each of the component service it provides. For example:
- Registration service events such as certificate requests and approvals.
@@ -353,9 +353,9 @@ In the SME product context, a single PKI product will typically support all of t
However, some component PKI services might not be necessary or could be supported through generic enterprise products and services.
EXAMPLE 1: The registration service is not needed as subscriber enrollment and certificate request approvals are handled through standard enterprise on-boarding and account management processes.
EXAMPLE 1: The registration service is not needed as subscriber enrollment and certificate request approvals are handled through normal enterprise on-boarding and account management processes.
EXAMPLE 2: The revocation managment and certificate status services are not needed as compromised certificates can be mitigate through standard enterprise account management and off-boarding processes.
EXAMPLE 2: The revocation managment and certificate status services are not needed as compromised certificates can be mitigate through normal enterprise account management and off-boarding processes.
EXAMPLE 3: The dissemination service is not needed as an enterprise directory service can be used to store and distribute certificates.
@@ -367,7 +367,7 @@ The enterprise will have a production system for issuing certificates and can be
The PKI software will be deployed on servers within the enterprise's server rooms or data centre, or on a platform hosted by the enterprise's cloud service provider.
NOTE 1: Software-as-a-service is out of scope of the present document.
NOTE 1: PKI-as-a-service and software-as-a-service are out of scope of the present document.
If the certificate generation service in the production system uses a secure cryptographic device to manage the CA keys, this can be a physical device located in the enterprise's data centre or a virtual device hosted by the enterprise's cloud service provider.
@@ -391,8 +391,7 @@ The enterprise will deploy malware detection and removal software on their syste
The enterprise will employ competent system administrators to install, configure and manage the software.
However, system operators may have limited experience running critical component services and have have only received basic training in cybersecurity or data protection.
However, system operators might have limited experience running critical component services and might have only received basic training in cybersecurity or data protection.
