--- title: "ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements" author: "Sorena AI" description: "Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-1" - "CA Browser Forum BRG" - "DVCP" - "OVCP" - "IVCP" - "TLS certificate policy" - "CPS disclosure" - "WebPKI certificate policy" - "CA/Browser Forum BRG" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-1* ## ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements A focused crosswalk for certificate authorities using EN 319 411-1 profiles that reference CA/Browser Forum Baseline Requirements Guidelines (BRG). Use it to separate EN 319 411-1 CP/CPS obligations from BRG-dependent DVCP, OVCP, IVCP, and [WEB] controls. Standalone BR details are not restated unless grounded in the ETSI source text. EN 319 411-1 is not a substitute copy of the CA/Browser Forum Baseline Requirements. It defines general policy and security requirements for TSPs issuing public key certificates, then builds DVCP, OVCP, and IVCP TLS/SSL certificate policies that reference BRG for publicly trusted web-server certificates. Use this page to identify where the ETSI standard itself points to BRG, where EN 319 411-1 remains the source of CP/CPS and service-component evidence, and where a separate BR review is still required. ## ETSI EN 319 411-1 vs CA/B Forum BRG: where the work actually splits Use this crosswalk to separate EN 319 411-1 obligations from BRG-dependent TLS/SSL certificate-policy work. CA/B Forum details are limited to what the ETSI grounding states; standalone BR text still needs a separate current-source review. - **ETSI EN 319 411-1**: Defines general policy and security requirements for TSPs issuing public key certificates, including CP/CPS expectations, service components, publication, registration, revocation, and ETSI certificate-policy profiles. - **CA/B Forum BRG dependency**: Appears in EN 319 411-1 where TLS/SSL certificate policies, [WEB] requirements, domain/IP validation, BRG revision monitoring, and conflict rules depend on CA/Browser Forum Baseline Requirements. | Dimension | ETSI EN 319 411-1 | CA/B Forum BRG dependency | Operational implication | Sources | | --- | --- | --- | --- | --- | | Scope and certificate types | EN 319 411-1 covers TSPs issuing public key certificates, including trusted web site certificates, and supports reference policies such as LCP, NCP, NCP+, DVCP, OVCP, IVCP, and EVCP. | The BRG dependency is strongest for publicly trusted TLS/SSL certificates under DVCP, OVCP, and IVCP, where EN 319 411-1 says those policies are enhanced by BRG provisions for DV, OV, and IV certificates. | Start the comparison by naming the certificate policy, certificate profile, and whether the certificate is a publicly trusted TLS/SSL web-server certificate. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. | | Covered actors | EN 319 411-1 applies to TSPs issuing public key certificates, including certification authorities, registration authorities, and repository operators that publish CP/CPS and status information for subscribers and relying parties. | The BRG dependency arises for TSPs asserting DVCP, OVCP, or IVCP policy OIDs for publicly trusted TLS/SSL certificates, where root programs, browser vendors, and relying parties depend on CA/Browser Forum requirements being satisfied. | Map actors by their certificate-policy role: CA, RA, or repository operator under EN 319 411-1, and root-program participant or relying party under BRG. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Trigger | An EN 319 411-1 review is triggered when a certification authority asserts an ETSI NCP, LCP, NCP+, DVCP, OVCP, IVCP, or EVCP certificate policy OID, or when a CP/CPS review or audit is required for any of those policy profiles. | A separate BRG review is triggered whenever DVCP, OVCP, or IVCP certificates are issued for publicly trusted web servers, because EN 319 411-1 defines those profiles as requiring compliance with BRG and names CA/Browser Forum Baseline Requirements as a normative reference. | Record which policy profile triggers BRG dependency; EN 319 411-1 alone applies to all certificate profiles that do not assert DVCP, OVCP, or IVCP. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Core obligations | EN 319 411-1 requires a CP stating what must be adhered to and a CPS explaining how the TSP implements those requirements. Selected obligations are tagged [WEB] to mark controls that apply specifically to web-authentication certificates; DVCP, OVCP, and IVCP profiles add BRG-linked CPS duties. | CA/B Forum BRG requirements are incorporated by reference for domain and IP address validation methods, CPS publication duties, and conflict handling. BRG takes precedence over EN 319 411-1 in the specific event of a conflict for DVCP, OVCP, and IVCP certificates, unless EN 319 411-1 is more stringent. | Keep CP/CPS obligations separate from BRG obligations; BRG requirements are additive for [WEB]-tagged profiles, not a replacement for ETSI baseline obligations. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Evidence | EN 319 411-1 requires the TSP to verify subscriber and subject identity, check requests for accuracy, authorization, and completeness, and collect or validate direct evidence or attestation from appropriate sources. | For [WEB] information relating to domain names and IP addresses, EN 319 411-1 says verification methods shall follow BRG clauses 3.2.2.4 to 3.2.2.9. | Organize evidence by certificate profile: ETSI domain-validation requirements apply first; BRG bridge evidence is additive only for [WEB]-tagged profiles. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Timing | EN 319 411-1 requires public CPS disclosure, availability of terms and conditions to relying parties, public international availability for publicly trusted certificate information, support for OCSP or CRL, and public international availability of revocation status information. | For web-authentication certificates, BRG references appear alongside public disclosure, selected [WEB] duties, and notes that OCSP can be mandatory in OV/IV/DV contexts. | Align CPS publication and availability timelines with both ETSI and BRG requirements; BRG may impose shorter revocation or update windows for publicly trusted certificates. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Enforcement | EN 319 411-1 V1.5.1 sets the ETSI baseline and permits confidential CPS sections. ETSI TC ESI is the relevant body for EN 319 411-1 revisions; conflicts with CA/B Forum SSL/TLS certificate policies should be reported to both ETSI TC ESI and the CA/Browser Forum. | For OVCP, DVCP, and IVCP, BRG takes precedence when EN 319 411-1 conflicts with the latest BRG version, unless EN 319 411-1 is more stringent. The TSP must monitor BRG revisions and ensure compliance as requirements become effective, making BRG monitoring a live, repeating obligation. | When BRG conflicts with EN 319 411-1 for DVCP, OVCP, or IVCP, BRG takes precedence; document the conflict and resolution in the CPS. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Overlap | EN 319 411-1 and BRG share domain and IP address validation obligations for DVCP, OVCP, and IVCP certificates. Both expect public certificate availability, CPS publication, and revocation status services to be publicly and internationally accessible. | CRL or OCSP revocation status service obligations, public repository publication duties, and relying-party accessibility requirements appear in both EN 319 411-1 and BRG-referenced controls. Crosswalk evidence should identify which obligation is met by which source. | Treat shared validation, revocation, and publication obligations as joint controls; a single control set satisfies both standards when requirements are identical. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Decision rule | ETSI evidence should be organized by policy profile and service component: CP/CPS, subscriber and subject registration, certificate generation, dissemination, revocation management, revocation status, and supporting procedures. | BRG evidence should be kept as a bridge record unless the current standalone BR text has been reviewed; EN 319 411-1 grounding alone supports only the BRG references and dependencies it names. | Use ETSI-only evidence for non-publicly-trusted certificates; add BRG bridge evidence only for profiles that assert [WEB]-tagged policy OIDs. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | Sources for Scope and certificate types - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. - Quote: "The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4] and BRG [6]." Sources for Scope and certificate types - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. - Quote: "The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4] and BRG [6]." Sources for Scope and certificate types - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. - Quote: "The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4] and BRG [6]." Sources for Covered actors - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Covered actors - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Covered actors - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Trigger - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Trigger - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Trigger - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Core obligations - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Core obligations - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Core obligations - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Evidence - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Evidence - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Evidence - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Timing - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Timing - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Timing - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Enforcement - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Enforcement - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Enforcement - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Overlap - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Overlap - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Overlap - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Decision rule - ETSI EN 319 411-1: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Decision rule - CA/B Forum BRG dependency: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Decision rule - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. ### How to use this comparison without overclaiming - Use EN 319 411-1 as the controlling source for ETSI CP/CPS structure, TSP service components, and ETSI policy-profile evidence. - Use BRG as a separate controlling source only after the current CA/Browser Forum text has been reviewed outside this ETSI-grounded artifact. - For DVCP, OVCP, and IVCP, preserve the bridge between ETSI policy OIDs, BRG references, revision checks, and conflict/stringency decisions. Sources for the practical decision rule: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. - Quote: "The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4] and BRG [6]." - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the general TSP policy baseline that EN 319 411-1 applies through its CPS and trust-service requirements. - Quote: "General Policy Requirements for Trust Service Providers" ## What the comparison can and cannot prove The grounded comparison is intentionally narrow. EN 319 411-1 states that it covers TSPs issuing public key certificates, including trusted web site certificates, and that it includes provisions consistent with CA/Browser Forum EVCG and BRG. It also lists CA/Browser Forum Baseline Requirements as normative references. Because the available source support for this artifact contains ETSI text rather than the standalone BR document, this page does not restate independent BR controls. Treat every BR-only detail as a separate evidence item to verify against the current CA/Browser Forum source before making a public-trust or root-program claim. - Use EN 319 411-1 as the source for CP/CPS structure, service components, ETSI policy identifiers, [WEB] tags, and ETSI conformity evidence. - Use the BRG references inside EN 319 411-1 to find where DVCP, OVCP, IVCP, domain/IP validation, CPS publication, and conflict handling depend on CA/B Forum requirements. - Do not claim that an EN 319 411-1 evidence pack proves full BRG compliance unless the current BR text, effective dates, and root-store expectations have also been checked. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. ## Policy profiles: where EN 319 411-1 points to BRG EN 319 411-1 defines NCP, NCP+, and LCP as reference certificate policies, then defines EVCP, DVCP, OVCP, and IVCP for SSL/TLS certificates. For DVCP, OVCP, and IVCP, the standard describes policies built on LCP plus additional provisions suited to support the corresponding certificate issuance and management as specified in BRG. This is the practical hinge for the comparison. If a CA asserts ETSI DVCP, OVCP, or IVCP policy OIDs in TLS/SSL certificates, the ETSI source says those policies are tied to the corresponding CA/B Forum DV, OV, or IV policies; the CP/CPS must therefore make the bridge explicit rather than hiding it in a generic compliance statement. - List each certificate policy in scope: LCP, NCP, DVCP, OVCP, IVCP, or EVCP. - For DVCP, OVCP, and IVCP, record the BRG reference and the ETSI policy OID claim that makes BRG review necessary. - Keep ETSI-only certificates and publicly trusted TLS/SSL certificate policies in separate evidence rows, even when they share the same CA platform. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. ## CPS and publication duties to compare first EN 319 411-1 distinguishes the CP from the CPS: the CP says what quality, profile, applicability, and rules apply, while the CPS explains how the TSP implements those rules in its own organization, systems, facilities, and procedures. The standard also requires the TSP to publicly disclose its CPS online on a 24x7 basis, while allowing sensitive aspects to remain undisclosed. For OVCP, IVCP, and DVCP, EN 319 411-1 adds BRG-linked CPS requirements and requires the TSP to check for newer BRG revisions and ensure compliance as they become effective as specified by the CA/Browser Forum. That makes BRG monitoring a live control, not just a one-time mapping exercise. - Confirm that the CPS names the certificate profiles, signature algorithms, parameters, and implementation practices needed for each asserted policy. - Keep a public CPS URL, publication owner, and review evidence for EN 319 411-1 OVR-5.2 requirements. - For DVCP, OVCP, and IVCP, add a BRG revision-monitoring record and a decision trail for any changed requirement. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. ## Validation, repository, and status checks that frequently overlap EN 319 411-1 states that certificates issued under OVCP, DVCP, IVCP, or EVCP are publicly trusted certificates used to identify web servers accessed through TLS/SSL. It also tags selected [WEB] requirements and, for domain names and IP addresses, points verification methods to BRG clauses 3.2.2.4 through 3.2.2.9. The same ETSI source gives concrete dissemination and status-service duties that should stay visible in a crosswalk: terms and conditions must be available to relying parties, publicly trusted certificate information has to be publicly and internationally available, OCSP or CRL has to be supported, and revocation status information has to be publicly and internationally available. - Tie domain and IP address validation evidence to the EN 319 411-1 [WEB] requirement that refers to BRG methods. - Keep repository evidence for certificates, terms and conditions, CPS disclosure, cross-certified subordinate CA disclosure where applicable, and public availability claims. - Keep revocation evidence for OCSP or CRL support, consistency between methods when both are used, CPS documentation of delay interpretation, and public status availability. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. ## Conflict handling and change monitoring EN 319 411-1 directly addresses conflicts for OVCP, DVCP, and IVCP. Where the present document conflicts with the latest BRG version, BRG requirements take precedence unless EN 319 411-1 is more stringent. The standard also recognizes that BRG/EVCG may change after publication and asks conflicts with CA/Browser Forum SSL/TLS certificate policies to be brought to ETSI TC ESI and the CA/Browser Forum. A useful comparison therefore needs a change log, not only a static table. Record the ETSI version, the BRG version reviewed outside this JSON, the impacted policy profile, whether the issue is conflict or additional BRG detail, and which side is more stringent. - Track EN 319 411-1 version, BRG version, effective date reviewed, impacted CP/CPS section, and implementation owner. - When conflict is suspected, preserve the exact ETSI requirement, BRG requirement, stringency assessment, and escalation decision. - Review the bridge after BRG revisions, EN 319 411-1 revisions, new certificate profiles, root-program changes, or changes to validation and revocation operations. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. ## Evidence package for an audit-ready crosswalk Build the evidence package around the EN 319 411-1 service components: registration, certificate generation, dissemination, revocation management, revocation status, and optional subject device provision. Then add BRG-specific references only for the profiles and [WEB] controls where EN 319 411-1 points to BRG. The result should show what EN 319 411-1 itself requires, what BRG dependency was identified, what external BR review remains outside this grounded page, and which operational artifact proves the control in the current assessment period. - CP/CPS map: policy OID, certificate profile, service component, public CPS location, and confidential procedure reference where sensitive details are withheld. - BRG bridge: DVCP/OVCP/IVCP requirement, BRG clause referenced by EN 319 411-1, current BRG source checked separately, and conflict/stringency result. - Operational records: subscriber and subject validation evidence, domain/IP validation evidence, issuance logs, repository publication checks, OCSP/CRL status records, revocation processing evidence, and change approvals. - Gap register: BR-only claims not covered by local ETSI grounding, owner, source still needed, and date by which the current CA/B Forum text must be reviewed. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the general TSP policy baseline that EN 319 411-1 applies through its CPS and trust-service requirements. *Recommended next step* *Placement: after practical guidance* ## Separate ETSI CP/CPS evidence from BRG-dependent WebPKI work Use the comparison to identify which TLS certificate-policy claims are grounded in EN 319 411-1 and which require a separate current CA/B Forum BR review. - [Open Assessment Autopilot for ETSI EN 319 411-1](/solutions/assessment.md): Turn EN 319 411-1 CP/CPS, registration, publication, and revocation evidence into assigned review tasks. - [Research BRG source gaps](/solutions/research-copilot.md): Resolve CA/B Forum Baseline Requirements questions before making public-trust or root-program claims. - [Talk through the crosswalk](/contact.md): Review policy profiles, BRG dependencies, evidence boundaries, and the next implementation actions with Sorena. ## Primary sources - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, [WEB] requirement tagging, CPS disclosure, domain/IP validation references, revocation-status expectations, and conflict rule for BRG-referenced certificate policies. - Quote: "The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4] and BRG [6]." - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the general TSP policy baseline that EN 319 411-1 applies through its CPS and trust-service requirements. - Quote: "General Policy Requirements for Trust Service Providers" ## Related Topic Guides - [CP vs CPS under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps.md): Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers. - [EN 319 411-1 vs EN 319 411-2 Certificate Policy](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2.md): Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries. - [ETSI EN 319 411-1 Audit File Evidence](/artifacts/global/etsi-en-319-411-1/audit-file-evidence.md): Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival. - [ETSI EN 319 411-1 CA Key Management](/artifacts/global/etsi-en-319-411-1/ca-key-management.md): CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence. - [ETSI EN 319 411-1 certificate lifecycle workflow](/artifacts/global/etsi-en-319-411-1/certificate-lifecycle-workflow.md): Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records. - [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md): What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key. - [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md): How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence. - [ETSI EN 319 411-1 Certification Audit Evidence FAQ](/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence.md): How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files. - [ETSI EN 319 411-1 Compliance Guide](/artifacts/global/etsi-en-319-411-1/compliance.md): Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence. - [ETSI EN 319 411-1 CP and CPS template](/artifacts/global/etsi-en-319-411-1/cp-and-cps-template.md): Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence. - [ETSI EN 319 411-1 FAQ for Certificate Services](/artifacts/global/etsi-en-319-411-1/faq.md): Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention. - [ETSI EN 319 411-1 Identity Validation](/artifacts/global/etsi-en-319-411-1/identity-validation.md): Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records. - [ETSI EN 319 411-1 Identity Validation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/identity-validation-evidence-workflow.md): A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls. - [ETSI EN 319 411-1 RA Delegation Guide](/artifacts/global/etsi-en-319-411-1/ra-delegation.md): How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence. - [ETSI EN 319 411-1 RA Delegation Review Workflow](/artifacts/global/etsi-en-319-411-1/ra-delegation-review-workflow.md): Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence. - [ETSI EN 319 411-1 requirements map for certificate services](/artifacts/global/etsi-en-319-411-1/requirements.md): Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence. - [ETSI EN 319 411-1 Revocation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/revocation-evidence-workflow.md): Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention. - [ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations](/artifacts/global/etsi-en-319-411-1/revocation-ocsp-and-crl-operations.md): Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence. - [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md): What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records. - [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md): How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable. - [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md): How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence. - [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md): How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements