ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements

EN 319 411-1 covers TSPs issuing public key certificates, including trusted web site certificates, and supports reference policies such as LCP, NCP, NCP+, DVCP, OVCP, IVCP, and EVCP.

The BRG dependency is strongest for publicly trusted TLS/SSL certificates under DVCP, OVCP, and IVCP, where EN 319 411-1 says those policies are enhanced by BRG provisions for DV, OV, and IV certificates.

Start the comparison by naming the certificate policy, certificate profile, and whether the certificate is a publicly trusted TLS/SSL web-server certificate.

EN 319 411-1 applies to TSPs issuing public key certificates, including certification authorities, registration authorities, and repository operators that publish CP/CPS and status information for subscribers and relying parties.

The BRG dependency arises for TSPs asserting DVCP, OVCP, or IVCP policy OIDs for publicly trusted TLS/SSL certificates, where root programs, browser vendors, and relying parties depend on CA/Browser Forum requirements being satisfied.

Map actors by their certificate-policy role: CA, RA, or repository operator under EN 319 411-1, and root-program participant or relying party under BRG.

An EN 319 411-1 review is triggered when a certification authority asserts an ETSI NCP, LCP, NCP+, DVCP, OVCP, IVCP, or EVCP certificate policy OID, or when a CP/CPS review or audit is required for any of those policy profiles.

A separate BRG review is triggered whenever DVCP, OVCP, or IVCP certificates are issued for publicly trusted web servers, because EN 319 411-1 defines those profiles as requiring compliance with BRG and names CA/Browser Forum Baseline Requirements as a normative reference.

Record which policy profile triggers BRG dependency; EN 319 411-1 alone applies to all certificate profiles that do not assert DVCP, OVCP, or IVCP.

EN 319 411-1 requires a CP stating what must be adhered to and a CPS explaining how the TSP implements those requirements. Selected obligations are tagged [WEB] to mark controls that apply specifically to web-authentication certificates; DVCP, OVCP, and IVCP profiles add BRG-linked CPS duties.

CA/B Forum BRG requirements are incorporated by reference for domain and IP address validation methods, CPS publication duties, and conflict handling. BRG takes precedence over EN 319 411-1 in the specific event of a conflict for DVCP, OVCP, and IVCP certificates, unless EN 319 411-1 is more stringent.

Keep CP/CPS obligations separate from BRG obligations; BRG requirements are additive for [WEB]-tagged profiles, not a replacement for ETSI baseline obligations.

EN 319 411-1 requires the TSP to verify subscriber and subject identity, check requests for accuracy, authorization, and completeness, and collect or validate direct evidence or attestation from appropriate sources.

For [WEB] information relating to domain names and IP addresses, EN 319 411-1 says verification methods shall follow BRG clauses 3.2.2.4 to 3.2.2.9.

Organize evidence by certificate profile: ETSI domain-validation requirements apply first; BRG bridge evidence is additive only for [WEB]-tagged profiles.

EN 319 411-1 requires public CPS disclosure, availability of terms and conditions to relying parties, public international availability for publicly trusted certificate information, support for OCSP or CRL, and public international availability of revocation status information.

For web-authentication certificates, BRG references appear alongside public disclosure, selected [WEB] duties, and notes that OCSP can be mandatory in OV/IV/DV contexts.

Align CPS publication and availability timelines with both ETSI and BRG requirements; BRG may impose shorter revocation or update windows for publicly trusted certificates.

EN 319 411-1 V1.5.1 sets the ETSI baseline and permits confidential CPS sections. ETSI TC ESI is the relevant body for EN 319 411-1 revisions; conflicts with CA/B Forum SSL/TLS certificate policies should be reported to both ETSI TC ESI and the CA/Browser Forum.

For OVCP, DVCP, and IVCP, BRG takes precedence when EN 319 411-1 conflicts with the latest BRG version, unless EN 319 411-1 is more stringent. The TSP must monitor BRG revisions and ensure compliance as requirements become effective, making BRG monitoring a live, repeating obligation.

When BRG conflicts with EN 319 411-1 for DVCP, OVCP, or IVCP, BRG takes precedence; document the conflict and resolution in the CPS.

EN 319 411-1 and BRG share domain and IP address validation obligations for DVCP, OVCP, and IVCP certificates. Both expect public certificate availability, CPS publication, and revocation status services to be publicly and internationally accessible.

CRL or OCSP revocation status service obligations, public repository publication duties, and relying-party accessibility requirements appear in both EN 319 411-1 and BRG-referenced controls. Crosswalk evidence should identify which obligation is met by which source.

Treat shared validation, revocation, and publication obligations as joint controls; a single control set satisfies both standards when requirements are identical.

ETSI evidence should be organized by policy profile and service component: CP/CPS, subscriber and subject registration, certificate generation, dissemination, revocation management, revocation status, and supporting procedures.

BRG evidence should be kept as a bridge record unless the current standalone BR text has been reviewed; EN 319 411-1 grounding alone supports only the BRG references and dependencies it names.

Use ETSI-only evidence for non-publicly-trusted certificates; add BRG bridge evidence only for profiles that assert [WEB]-tagged policy OIDs.