| Scope |
On the request of GMO Globalsign Ltd. (hereafter referred to as: Globalsign), the certification audit on all areas and processes was performed by BSI Assurance UK Limited (Kitemark Court, Davy Avenue, Knowlhill, Milton Keynes MK5 8PP, United Kingdom, with its location at John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in Globalsign’s Statement of Applicability, dated 19 April 2024 and the Overview of Applicability 2023.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service;
-,,Certificate Generation Service;
-,,Dissemination Service;
-,,Revocation Management Service;
-,,Revocation Status Service;
-,,Subject Device Provision Service;
These TSP component services are being provided for the following qualified trust service(s) as defined in the UK eIDAS Regulations:
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policies: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with policies QEVCP-w
In providing the (qualified) trust services, the TSP shares resources as coordinated by its parent company GMO GlobalSign Holdings K.K. in Japan. This includes providing and maintaining trust service component services, with the relevant operations, procedures, IT-infrastructure and applications.
The PKI component activities take place at different locations and are all performed by GMO Globalsign group companies, under supervision of the TSP's Policy Authority and Governance & Compliance:
-,,Belgium, Leuven (Policy Authority, Governance & Compliance)
-,,UK, London (Office, software development, IT operations)
-,,UK, London (Datacenter for Certificate Generation Service and Registration/Revocation Management Service production systems)
-,,UK, Maidstone (Registered Office: Registration/Revocation Management Service operations, support processes)
-,,Singapore (Office: Key management and Cryptographic controls)
-,,Singapore (Datacenter for Certificate Generation Service, Certificate Status Service production systems)
-,,Japan, Tokyo (Office: software development, IT operations, Governance & Compliance)
-,,Japan, Tokyo (Datacenter for Registration/Revocation Management Service production systems)
-,,India, New Delhi (Office: Registration/Revocation Management Service operations, support processes)
-,,Philippines, Makati City (Office: Registration/Revocation Management Service operations, support processes)
The certificates are issued through the issuing certification authorities, as specified below:
-,,GlobalSign Atlas E45 UK Qualified Remote Signing CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
B89EBBFC57AE60653C676B8EB399DC9415BBB738CB0370651A86BFF075C83A39
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign Atlas R45 UK Qualified Remote Signing CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
0958E7A84F392A4F3B7DC5E30FDC8DF733E69B44C68C16FC0DA1741C08419DA0
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign GCC E45 UK Qualified Signing CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
28CB8EE23E7BDBBF40B2959A57BB589991C2635CD3B71AAB0E84F993C559D29F
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign GCC R45 UK Qualified Signing CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
F5E9E2705AB0C93E80652D2DEB573AB01D6700597BDA122BC08BA97FDC713368
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign GCC E45 UK Qualified QSCD Signing CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
712C42F3C0FA3BDFA11B22AC9811C8EB912C4B464B43C705825DEEDC1195AD33
,,Qualified certificates for electronic signatures, QCP-n-qscd
,,Qualified certificates for electronic seals, QCP-l-qscd
-,,GlobalSign GCC R45 UK Qualified QSCD Signing CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
91F881C556A920B92C4C48221FAAC19615437CF4ACB7D079C0B426BF3483B3AE
,,Qualified certificates for electronic signatures, QCP-n-qscd
,,Qualified certificates for electronic seals, QCP-l-qscd
-,,GlobalSign GCC E5 UK EV QWAC CA 2021
Revoked on 20 March 2024.
Sha256 Fingerprint:
0966A88729C938F9DCD65BB3C63B608618EAE5183ED1FED752B323089687A20E
+,,Qualified certificates for website authentication, QEVCP-w
-,,GlobalSign GCC R3 UK EV QWAC CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
A33017D9DF494C09D58709107403AEE461B9461E81BA395C28C36693C27D1986
+,,Qualified certificates for website authentication, QEVCP-w
The TSP component services are documented in the following Certification Practice Statements:
-,,GlobalSign Certificate Policy, version 7.3, 29 March 2024
-,,GlobalSign Certification Practice Statement, version 10.3, 29 March 2024
-,,GlobalSign PKI Disclosure Statement, version 2.0, 14 April 2023
Our certification audit was performed in February and April 2024. The result of the audit is that we conclude, based on the objective evidence collected during the certification audit from 1 July 2023 through 31 March 2024, the areas assessed during the audit for the issuance of:
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policies: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with policies QEVCP-w;
were generally found to be effective, based on the applicable requirements defined in Globalsign’s Statement of Applicability, dated 19 April 2024 and the Overview of Applicability 2023.
Audit information:
Audit criteria
-,,"UK eIDAS Regulations":
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers;
-,,The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019
-,,UK trust services legislation, The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696))
-,,Information Commissioner's Office (ICO) - Becoming a qualified trust service provider, section: "Additional ICO requirements and guidance" (ref: https://ico.org.uk/for-organisations/guide-to-eidas/becoming-a-qualified-trust-service-provider/#additional)
-,,ETSI EN 319 411-2 v2.4.1 (2021-11) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates;- Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policies: QCP-n, QCP-n-qscd, QCP-l, QCP-l-qscd, QEVCP-w
-,,Supplemental to ETSI EN 319411-2:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers;
-,,ETSI EN 319 411-1 v1.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: LCP, NCP, NCP+, PTC, EVCP;
Audit Period of Time:
1 July 2023 through 31 March 2024
Audit performed:
February and April 2024
|
