Scope |
On the request of GMO Globalsign Ltd. (hereafter referred to as: Globalsign), the certification audit on all areas and processes was performed by BSI Assurance UK Limited (Kitemark Court, Davy Avenue, Knowlhill, Milton Keynes MK5 8PP, United Kingdom, with its location at John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in Globalsign’s Statement of Applicability, dated 19 April 2024 and the Overview of Applicability 2023.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Time-stamping provision: This service component generates time-stamps.
-,,Time-stamping management: This service component monitors and controls the operation of the time-stamping services to ensure that the service provided is as specified by the TSA.
These TSP component services are being provided for following qualified trust service as defined in the UK eIDAS Regulations:
-,,Issuance of qualified electronic time stamps (qualified trust service)
In providing the (qualified) trust services, the TSP shares resources as coordinated by its parent company GMO GlobalSign Holdings K.K. in Japan. This includes providing and maintaining trust service component services, with the relevant operations, procedures, IT-infrastructure and applications.
The TSA component activities take place at different locations and are all performed by GMO Globalsign group companies, under supervision of the TSP's Policy Authority and Governance & Compliance:
-,,Belgium, Leuven (Policy Authority, Governance & Compliance)
-,,UK, London (Office, software development, IT operations)
-,,UK, London (Datacenter for Time-stamping provision and Time-stamping management production systems)
-,,UK, Maidstone (Registered Office: support processes)
-,,Singapore (Office: Key management and Cryptographic controls)
Qualified Time-Stamps are issued by Time-Stamping Units (TSU) specified below:
Issuing CA: GlobalSign Atlas R45 UK Qualified Timestamping CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
4C03F2D6941F2DFCA27EDC599F385E6CD3FFD0CC842F2CCB95B77580A2D1FF93
-,,TSU: GlobalSign UK Qualified Time Stamping 2023 TSU-01.001-LCY
Sha256 Fingerprint:
E08091CC94151D791C3E99E1927E93FCD8F6E0EBBB4AC63725D4A92083FA8AC7
-,,TSU: GlobalSign UK Qualified Time Stamping 2023 TSU-02.001-LCY
Sha256 Fingerprint:
B3EC34E0D934FB10BA49FDE50AD7D05EFBC9DCDCA1AF535906013ACFAE2D42F9
-,,TSU: GlobalSign UK Qualified Time Stamping 2023 TSU-03.001-LCY
Sha256 Fingerprint:
75EE747BB8C3DC9A1285D21726C8CE525437F1EF28E9D282EF8895A618F56AC1
Other issuing CAs capable of issuing public key certificates for Time-Stamping Units (TSU) issuing Qualified Time-Stamps are:
-,,Issuing CA: GlobalSign Atlas ECCR5 UK Qualified Timestamping CA 2020
Revoked on 20 March 2024.
Sha256 Fingerprint:
40382F8827B75D25705A6B3DA32533C5F4218BD7FA697CB0B300E8F47047FBC9
The TSP component services are documented in the following Globalsign Timestamping Practice Statement:
-,,GlobalSign Timestamping Practice Statement, version 1.0, 10 February 2022
Our certification audit was performed in February and April 2024. The result of the audit is that we conclude, based on the objective evidence collected during the certification audit from 1 July 2023 through 31 March 2024, the areas assessed during the audit for the issuance of qualified electronic time stamps (qualified trust service), were generally found to be effective, based on the applicable requirements defined in Globalsign’s Statement of Applicability, dated 19 April 2024 and the Overview of Applicability 2023.
Audit information:
Audit criteria
-,,"UK eIDAS Regulations":
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers;
-,,The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019
-,,UK trust services legislation, The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696))
-,,Information Commissioner's Office (ICO) - Becoming a qualified trust service provider, section: "Additional ICO requirements and guidance" (ref: https://ico.org.uk/for-organisations/guide-to-eidas/becoming-a-qualified-trust-service-provider/#additional)
-,,ETSI EN 319 421 v1.2.1 (2023-05) Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps.
-,,Supplemental to ETSI EN 319421:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers;
Audit Period of Time:
1 July 2023 through 31 March 2024
Audit performed:
February and April 2024
|