On the request of Globalsign NV/SA (hereafter referred to as: Globalsign), the certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in Globalsign’s Statement of Applicability, dated 19 April 2024 and the Overview of Applicability 2023.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service;
-,,Certificate Generation Service;
-,,Dissemination Service;
-,,Revocation Management Service;
-,,Revocation Status Service;
-,,Subject Device Provision Service;
This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
These TSP component services are being provided for the following qualified trust service(s) as defined in Regulation (EU) 910/2014 (eIDAS):
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policies: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with policies QEVCP-w, QCP-w-psd2;
In providing the (qualified) trust services, the TSP shares resources as coordinated by its parent company GMO GlobalSign Holdings K.K. in Japan. This includes providing and maintaining trust service component services, with the relevant operations, procedures, IT-infrastructure and applications.
The PKI component activities take place at different locations and are all performed by GMO Globalsign group companies, under supervision of the TSP's Policy Authority and Governance & Compliance:
-,,Belgium, Leuven (Policy Authority, Governance & Compliance)
-,,UK, London (Office, software development, IT operations)
-,,UK, London (Datacenter for Certificate Generation Service and Registration/Revocation Management Service production systems)
-,,UK, Maidstone (Office: Registration/Revocation Management Service operations, support processes)
-,,Singapore (Office: Key management and Cryptographic controls)
-,,Singapore (Datacenter for Certificate Generation Service, Certificate Status Service production systems)
-,,Japan, Tokyo (Office: software development, IT operations, Governance & Compliance)
-,,Japan, Tokyo (Datacenter for Registration/Revocation Management Service production systems)
-,,India, New Delhi (Office: Registration/Revocation Management Service operations, support processes)
-,,Philippines, Makati City (Office: Registration/Revocation Management Service operations, support processes)
The certificates are issued through the issuing certification authorities, as specified below:
-,,GlobalSign Atlas E45 Qualified Remote Signing CA 2020
Sha256 Fingerprint:
5CB0FDEF052BD18A0A40ADA2235F46EB42B6D0993ED5A50DE47E3EA12FF191B1
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign Atlas R45 Qualified Remote Signing CA 2020
Sha256 Fingerprint:
323F35F0DFB01D6B478C24026C66852AAD3E96DCB1C5BE17C1DA1EC47D77CC87
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign Atlas E45 Qualified Non QSCD Signing CA 2021
Revoked on 20 March 2024.
Sha256 Fingerprint:
DBFF9EBA713FF77B60D52B37F35C5AD52D9CD06412F3BAD9128D77D95C7B887E
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign Atlas R45 Qualified Non QSCD Signing CA 2021
Revoked on 20 March 2024.
Sha256 Fingerprint:
96B67EB3D828223480405557E3993A3B1781D527294D1978EB0C4ABCC6F40AF2
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign Atlas E45 Qualified QSCD Signing CA 2021
Revoked on 20 March 2024.
Sha256 Fingerprint:
625597092D6B09F1AB74ECF29F38E0E1C41AF487594B23489A8A604687ACAD99
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign Atlas R45 Qualified QSCD Signing CA 2021
Revoked on 20 March 2024.
Sha256 Fingerprint:
7A25E3C7B2B3325C5E65D01B9F6FF474ADE4BBCC8CCA3D7F29655352386F36B7
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign Atlas R45 Remote QSCD Delegated RA CA 2022
Sha256 Fingerprint:
AD304215A70BF5D06E84973BF49862F10CFF490DA9C97D1D6FA6934F8E3C98AF
+,,Qualified certificates for electronic signatures, QCP-n-qscd
+,,Qualified certificates for electronic seals, QCP-l-qscd
-,,GlobalSign GCC E45 Qualified Signing CA 2020
Sha256 Fingerprint:
35E9429CDE680D8D5311CDD46FAEF0AEE694B0556C3D69C4F670E243D64C87FE
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign GCC R45 Qualified Signing CA 2020
Sha256 Fingerprint:
4E1474CFEB41D048C7E1E2C975D69AD3FD739BD44577A80D0432F233D51C5C77
+,,Qualified certificates for electronic signatures, QCP-n
+,,Qualified certificates for electronic seals, QCP-l
-,,GlobalSign GCC E45 Qualified QSCD Signing CA 2020
Sha256 Fingerprint:
8115E2CB4F04E56EA70EA932D0622831DD53B22BF6A93B3ACD9125FAB0374AF1
,,Qualified certificates for electronic signatures, QCP-n-qscd
,,Qualified certificates for electronic seals, QCP-l-qscd
-,,GlobalSign GCC R45 Qualified QSCD Signing CA 2020
Sha256 Fingerprint:
1B728D4A76506634A11007912F1D8C6B9AA39BE1AFCA49096657CF1FFB4513BF
,,Qualified certificates for electronic signatures, QCP-n-qscd
,,Qualified certificates for electronic seals, QCP-l-qscd
-,,GlobalSign GCC E5 EV QWAC CA 2021
Revoked on 20 March 2024.
Sha256 Fingerprint:
0DD2C7E0AF8200F49F4192A89AE634D4CE41B80C63B0629CC68E538C316F020E
+,,Qualified certificates for website authentication, QEVCP-w, QCP-w-psd2
-,,GlobalSign GCC R3 EV QWAC CA 2020
Sha256 Fingerprint:
D4A5941C7141ED1949A0C6CE9DD45A0AB94DC337902EB0A1209852738EEBE854
+,,Qualified certificates for website authentication, QEVCP-w, QCP-w-psd2
The TSP component services are documented in the following Certification Practice Statements:
-,,GlobalSign Certificate Policy, version 7.3, 29 March 2024
-,,GlobalSign Certification Practice Statement, version 10.3, 29 March 2024
-,,GlobalSign PKI Disclosure Statement, version 2.0, 14 April 2023
-,,GlobalSign Qualified Signing Service Practice Statement, version 1.0, 14 April 2023
Our certification audit was performed in February and April 2024. The result of the audit is that we conclude, based on the objective evidence collected during the certification audit from 1 July 2023 through 31 March 2024, the areas assessed during the audit for the issuance of:
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policies: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with policies QEVCP-w, QCP-w-psd2;
were generally found to be effective, based on the applicable requirements defined in Globalsign’s Statement of Applicability, dated 19 April 2024 and the Overview of Applicability 2023.
Audit information:
Audit criteria
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services
-,,ETSI EN 319 411-2 v2.4.1 (2021-11) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates;- Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policies: QCP-n, QCP-n-qscd, QCP-l, QCP-l-qscd, QEVCP-w
-,,Supplemental to ETSI EN 319411-2:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers;
-,,ETSI EN 319 411-1 v1.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: LCP, NCP, NCP+, PTC, EVCP;
-,,ETSI TS 119 495 v1.6.1 (2022-11) - Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Certificate Profiles and TSP Policy Requirements for Open Banking, for the policies: QCP-l-qscd, QCP-w-psd2.
Audit Period of Time:
1 July 2023 through 31 March 2024
Audit performed:
February and April 2024
|