ETSI EN 319 411-2 How should qualified trust service providers handle legal and natural persons under ETSI EN 319 411-2

Start with the certificate policy. ETSI EN 319 411-2 names QCP-n for EU qualified certificates issued to natural persons and QCP-l for EU qualified certificates issued to legal persons. If the private key and related certificate reside on a QSCD, use the matching QSCD policy route: QCP-n-qscd for a natural person and QCP-l-qscd for a legal person.

That distinction also changes the intended certificate use. QCP-n supports advanced electronic signatures based on a qualified certificate, while QCP-l supports advanced electronic seals based on a qualified certificate. The QSCD variants support qualified electronic signatures for natural persons and qualified electronic seals for legal persons.

For a natural-person certificate, keep evidence that the person's identity and any specific attributes were verified either by physical presence or by a method for which the TSP can prove equivalent assurance. EN 319 411-1 adds the practical evidence categories: full name, date and place of birth or another distinguishing identity attribute, and records needed to verify the subject identity and any attribute limitations.

For a legal-person certificate, keep evidence that the legal person's identity and attributes were verified through an authorized representative or an equivalent-assurance method. EN 319 411-1 expects evidence such as the organizational name, relevant registration information where applicable, representation authority, and any association between the legal person and an organizational unit shown in the certificate.

Use the checklist to prevent the common failure mode: issuing or describing a qualified certificate without proving whether the subject route, policy identifier, identity-proofing evidence, and subscriber authority match the actual natural-person, legal-person, or website-authentication scenario.