ETSI EN 319 411-2 Qualified Profile Selector

The first selection question is not whether the service is generally secure. It is what the qualified certificate is meant to support: a natural person's electronic signature, a legal person's electronic seal, or website authentication.

EN 319 411-2 builds these qualified profiles on EN 319 411-1 policy families such as NCP, NCP+, EVCP, OVCP, IVCP, and web-authentication requirements, then adds eIDAS-qualified certificate requirements. That means the chosen profile determines both the base controls and the qualified-certificate additions.

For signature and seal certificates, the selector turns on two facts: the subject type and whether the policy requires the private key related to the certified public key to reside in a Qualified Signature Creation Device or Qualified Seal Creation Device.

The non-QSCD profiles still need an explicit policy decision. EN 319 411-2 says QCP-n and QCP-l include NCP requirements and qualified-certificate additions; if the terms and conditions require a secure cryptographic device, NCP+ requirements apply. The QSCD profiles go further and require the QSCD-specific policy path.

Website-authentication certificates follow a separate branch. EN 319 411-2 defines three qualified website-authentication policy profiles, and the correct route depends on whether the certificate is based on EVCP, on NCP plus OVCP or IVCP, or on the general-purpose QNCP-w-gen route.

This branch should be decided before certificate templates and public disclosures are finalized because QEVCP-w and QNCP-w also depend on external CA/Browser Forum requirement families. EN 319 411-2 states that, for QEVCP-w and QNCP-w, the latest EVCG or BRG requirements take precedence if they conflict with EN 319 411-2 requirements.

After the profile is selected, the evidence pack should prove that the certificate and the CP/CPS follow the selected EN 319 411-2 route. The profile decision should appear in the certificate policy name and identification, the certificate's policy identifier strategy, the CP/CPS control mapping, and the disclosure statement.

EN 319 411-2 requires qualified certificates to include at least one applicable policy identifier choice, and it restricts the QSCD qcStatement to the QSCD profiles. If the certificate uses only a TSP-allocated OID, the referenced certificate policy must clearly identify which EN 319 411-2 policy it adopts as the basis.

Use this worksheet as a pre-audit handoff. It is written as operational rows so it can be copied into a CP/CPS review ticket without losing the selection logic.

Step 1: Identify the certificate use. Choose signature, seal, or website authentication; name the subject type as natural person, legal person, or website-authentication subject.

Step 2: Decide the device claim. For signature or seal certificates, record whether the policy requires a QSCD and whether the TSP or another qualified TSP manages relevant key material.

Step 3: Select the profile. Map the facts to QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.

Step 4: Bind identifiers and disclosures. Confirm policy identifiers, TSP-allocated OIDs, CP/CPS statements, terms and conditions, and the PKI disclosure statement are consistent with the selected profile.

Step 5: Run a negative check. Confirm no website-authentication profile is being used for a signature or seal certificate, no QSCD qcStatement appears outside a QSCD profile, and no qualified claim relies only on EN 319 411-1.

Most profile-selector failures are traceability failures. The certificate may look technically valid while the CP/CPS, policy OID, qcStatement, or website-authentication route points to a different EN 319 411-2 policy than the one the team intended.

Treat the profile decision as a release gate for qualified certificate services. A profile mismatch can affect assessor evidence, relying-party interpretation, trusted-list validation, and the legal framing of a qualified-certificate claim.