What is a trust service provider?

Posted by Victoria Allen on Jan 25, 2021 10:30:20 AM

A Trust Service Provider (TSP) is an entity that provides any number of trust services involved with the creation, validation and preservation of e-signatures, e-seals or digital certificates.

What is a Trust Service Provider?

Security is of utmost importance to ensure the integrity of certificates provided in order to create electronic signatures. As many TSPs store signing keys and digital certificates, these must be stored securely in order to ensure the integrity of the certificates, e-signatures and e-seals issued by the TSP.

TSPs must operate to a set of standards to ensure the security and validity of the certificates and authentication services they offer. The EU's eIDAS regulation has helped standardise the requirements for TSPs and provide organisations with a list of European Commission approved companies that they can trust.

Under the EU eIDAS regulation the definition of a trust service is:

An electronic service normally provided for remuneration which consists of:

  • The creation, verification, and validation of electronic signatures, electronic seals or electronic timestamps, electronic registered delivery services and certificates related to those services, or
  • The creation, verification and validation of certificates for website authentication; or
  • The preservation of electronic signatures, seals or certificates related to those services

TSPs provide a combination of the above services – some only issue digital certificates, others provide electronic signature services as well. What is important is that all TSPs adhere to the strict requirements that ensure the validity and security of the certificates, keys and signatures they provide.

A list of EU Trusted Providers can be viewed on the European Commission’s website.

What is a Qualified Trust Service Provider?

A Qualified Trust Service Provider (QTSP) must comply with additional measures under the eIDAS regulation to provide qualified certificates, qualified electronic signatures, qualified electronic seals or qualified electronic signature creation devices.

In order to be listed and recognised as a QTSP, organisations must undergo an independent assessment and regular audits to ensure that they continue to adhere to the requirements set out by eIDAS.

The additional requirements are to ensure that the integrity of the data held by QTSPs for the creation of digital certificates and signing keys is secure and protected to ensure validity.

Once an organisation has submitted the required information and QTSP status is awarded, the organisation can be listed as a QTSP on the European Council’s list of trusted providers.

How do I get a Qualified Electronic Signature?

According to the eIDAS regulation, a Qualified Electronic Signature (QES) must adhere to the same definition as an Advanced Electronic Signature (AES), but also:

  • The user’s digital certificate must be issued by a trusted Qualified Certificate Authority
  • The user’s signing key must be managed within a trusted Qualified Signature Creation Device (QSCD)

Qualified Trust Service Providers are able to provide QES and are regarded as the highest level of trust.

Ascertia’s ADSS SAM Appliance is Common Criteria EAL4+ certified against the eIDAS ETSI EN 419 241 standard and the EN 419 241-2 Protection Profile with Level 2 Sole Control and is recognised as a QSCD and QSealCD.

Many TSPs and QTSPs use Ascertia’s high-trust solutions to deliver their services. Contact us to discuss your requirements and how we can help.