--- title: "Subscriber agreements under ETSI EN 319 411-1" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements" author: "Sorena AI" description: "How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-1" - "subscriber agreement" - "certificate acceptance" - "terms and conditions" - "trust service provider" - "Subscriber agreements" - "TSP evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Subscriber agreements under ETSI EN 319 411-1 How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence. *Artifact FAQ* *GLOBAL* *ETSI EN 319 411-1* ## ETSI EN 319 411-1 Subscriber agreements A focused answer on what certificate authorities and trust service providers need to put in place before a certificate subscriber accepts terms. Grounded in ETSI EN 319 411-1 and ETSI EN 319 401 source material. Use it as implementation guidance, not for legal interpretation. Under ETSI EN 319 411-1, subscriber agreements are not just commercial paperwork. Before the subscriber enters the relationship, the TSP must communicate the certificate terms and conditions in a durable, human-readable way, record the agreement, and keep evidence that the subscriber accepted those terms by a traceable, wilful act. ## What does ETSI EN 319 411-1 require before a subscriber agreement? The CA or TSP should start with the terms and conditions that explain certificate use, acceptance, obligations, and limitations. ETSI EN 319 411-1 clause 6.3.4 requires the subscriber to be informed of those terms before the contractual relationship is formed. The agreement process also needs to be usable as evidence later. The terms must be communicated through a durable means, in human-readable form, before the agreement. Electronic transmission is allowed, but the record must still show what version was presented and how acceptance occurred. - Identify the certificate policy, CPS, terms and conditions, and any PKI disclosure statement that govern the subscriber relationship. - Present the applicable terms before the subscriber enters the contractual relationship or accepts the certificate. - Use a durable communication method that preserves the terms with integrity over time and is readable by the subscriber. - Define what constitutes certificate acceptance in the terms and conditions, rather than leaving acceptance implied by operational workflow. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Clause 6.3.4 supports the pre-contract notice, durable communication, certificate-acceptance, and recorded-agreement requirements summarized here. - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Clause 6.2 supports the general TSP requirement to inform subscribers and relying parties of precise terms before a contractual relationship. ## How should the agreement handle subscribers and subjects? ETSI EN 319 411-1 distinguishes the subscriber from the certificate subject. If the subscriber and subject are separate entities and the subject is a natural or legal person, the agreement is expected to be in two parts: one ratified by the subscriber and one ratified by the subject. That distinction matters for enterprise and delegated-certificate scenarios. The subscriber part should capture subscriber obligations, any secure-device requirement, consent to registration and revocation records, publication choices, and confirmation that certificate information is correct. The subject part should capture the subject obligations, secure-device acceptance where relevant, and consent to the records kept by the TSP. - Use a two-part agreement when the subscriber and subject are separate and the subject is a natural or legal person. - Use a traceable action such as signing or checking an acceptance box for each required ratification. - When the subscriber and subject are the same entity, or the subject is a device, include the subscriber and subject items in one or two agreement parts. - Allow staged acceptance only where the record still shows each accepted element, such as later confirmation that certificate information is correct. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Requirements REG-6.3.4-09 through REG-6.3.4-13 support the split-agreement approach for separate subscribers and subjects. ## What evidence should a CA retain for subscriber agreements? The evidence should prove the exact agreement, the terms accepted, the person or entity accepting, and the specific choices made during registration. ETSI EN 319 411-1 requires the agreement with the subscriber to be recorded, and, where the subscriber and subject are separate, the subject agreement to be recorded as well. Records should also connect the agreement to the registration file. ETSI EN 319 411-1 lists the storage location of applications and identification documents, including the subscriber agreement, plus specific choices in the agreement such as consent to certificate publication. - Retain the signed or electronically accepted subscriber agreement and the version of terms and conditions presented at acceptance. - Keep evidence of the wilful act used for acceptance, such as signature data, acceptance timestamp, account identity, or equivalent trace record. - Record publication consent, secure-cryptographic-device acceptance, certificate-information confirmation, and any other agreement choices that affect issuance or relying-party information. - Retain the agreement records for the period indicated to the subscriber as part of the terms and conditions. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Requirements REG-6.3.4-07, REG-6.3.4-08, and REG-6.3.4-17 support recorded acceptance and retention of subscriber-agreement records. - [ETSI EN 319 411-1 V1.5.1 registration records requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Requirement REG-6.4.5-04 supports recording the storage location of applications and identification documents, including the subscriber agreement. ## Primary sources - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for certificate acceptance, subscriber and subject agreement structure, traceable acceptance, electronic agreement form, and retention requirements. - Quote: "The agreement may be in electronic form" - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the general policy baseline requiring subscribers and relying parties to receive precise terms and conditions before contracting. - Quote: "Terms and conditions shall be made available through a durable means" ## Topic Guides - [CP vs CPS under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps.md): Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers. - [EN 319 411-1 vs EN 319 411-2 Certificate Policy](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2.md): Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries. - [ETSI EN 319 411-1 Audit File Evidence](/artifacts/global/etsi-en-319-411-1/audit-file-evidence.md): Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival. - [ETSI EN 319 411-1 CA Key Management](/artifacts/global/etsi-en-319-411-1/ca-key-management.md): CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence. - [ETSI EN 319 411-1 certificate lifecycle workflow](/artifacts/global/etsi-en-319-411-1/certificate-lifecycle-workflow.md): Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records. - [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md): What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key. - [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md): How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence. - [ETSI EN 319 411-1 Certification Audit Evidence FAQ](/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence.md): How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files. - [ETSI EN 319 411-1 Compliance Guide](/artifacts/global/etsi-en-319-411-1/compliance.md): Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence. - [ETSI EN 319 411-1 CP and CPS template](/artifacts/global/etsi-en-319-411-1/cp-and-cps-template.md): Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence. - [ETSI EN 319 411-1 FAQ for Certificate Services](/artifacts/global/etsi-en-319-411-1/faq.md): Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention. - [ETSI EN 319 411-1 Identity Validation](/artifacts/global/etsi-en-319-411-1/identity-validation.md): Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records. - [ETSI EN 319 411-1 Identity Validation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/identity-validation-evidence-workflow.md): A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls. - [ETSI EN 319 411-1 RA Delegation Guide](/artifacts/global/etsi-en-319-411-1/ra-delegation.md): How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence. - [ETSI EN 319 411-1 RA Delegation Review Workflow](/artifacts/global/etsi-en-319-411-1/ra-delegation-review-workflow.md): Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence. - [ETSI EN 319 411-1 requirements map for certificate services](/artifacts/global/etsi-en-319-411-1/requirements.md): Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence. - [ETSI EN 319 411-1 Revocation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/revocation-evidence-workflow.md): Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention. - [ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations](/artifacts/global/etsi-en-319-411-1/revocation-ocsp-and-crl-operations.md): Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence. - [ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements.md): Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling. - [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md): What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records. - [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md): How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable. - [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md): How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records. *Recommended next step* *Placement: after subscriber agreement evidence* ## Map ETSI EN 319 411-1 agreement evidence to your CA workflow Use this FAQ to check that subscriber onboarding, subject consent, certificate acceptance, publication choices, and retention records are captured in the same evidence trail. - [Assess certificate controls](/solutions/assessment.md): Review subscriber-agreement controls against CP, CPS, registration, and archival evidence. - [Research a scoped clause question](/solutions/research-copilot.md): Resolve subscriber, subject, publication, or retention questions against cited ETSI source text. - [Talk through implementation](/contact.md): Review CA onboarding evidence, agreement acceptance records, and the next control updates with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements