Index of documents supporting the Grant of Approval to BT’s Assure PKI Service.

  1. What the tScheme Approved Service Mark signifies.
  2. Approved Service - Service Description
  3. Approval Profiles used in the assessment:
    Base Approval Profile tSd0111 3.00
    Approval Profile for Registration Services tSd0042 3.02
    Approval Profile for a Certification Authority tSd0102 3.01
    Approval Profile for Signing Key Pair Management tSd0103 3.02
    Approval Profile for Certificate Generation tSd0104 3.01
    Approval Profile for Certificate Dissemination tSd0105 3.01
    Approval Profile for Certificate Status Management tSd0106 3.01
    Approval Profile for Certificate Status Validation tSd0107 3.01

Back to Grant details

What the tScheme Approved Service Mark signifies

When a trust service carries the tScheme Mark, you can be secure in the knowledge that:

For each service, tScheme approval is regularly reviewed and may be withdrawn.

This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.


Approved Service - Service Description

The subject service of this Grant of Approval is the Managed Public Key Infrastructure (PKI) Security service from British Telecommunications Plc.

BT Managed Public Key Infrastructure (PKI) Security is a managed service that provides the technology and processes required to issue digital certificates. The service is suitable for any organisation that needs to issue certificates - these can be issued under either the Symantec Trust Network (STN) public hierarchy and the STN CPS or the Customer’s own self-signed root and the non-STN CPS.

Within Managed PKI Security, the Registration Authority (RA) and Certification Authority (CA) functions are separated. The customer organisation performs the RA function and BT performs the CA function.

This arrangement allows the customer RA function to apply validation criteria that are based on its local business knowledge and approve or reject certificate requests using its own business rules. It also allows the organisation to delegate the complex and difficult CA management function to a specialist organisation that has the infrastructure and practices required to protect and manage sensitive CA Keys and PKI records. Specific CA functions managed by BT are:

BT uses its own RA to validate requests for the service, confirming that the applicant company is registered and that the Managed PKI Security Administrator has the organisational authority required to operate the RA and enter into the Managed PKI Security contract on the applicant company’s behalf.

Following acceptance of the request a new CA Certificate is issued and the CA signing keys installed at the secure CA facility operated by BT.

The service is built using Symantec technology and utilises industry standard protocols to protect order information and to deliver certificates. Employees, or customers, of the subscribing organisation apply for end user certificates from a local web site using their browser. Requests are validated by the local RA, digitally signed & encrypted and then sent to the CA, where certificates are constructed and signed using the organisation’s CA Digital Certificate.

BT provides the Managed PKI Security customer with certificate status data, either in the form of a Certificate Revocation List or through the use of the Online Certificate Status Protocol (OCSP), to validate certificates within their application(s). (Note: OCSP is not available to Managed PKI Security FastTrack customers). BT also provides status information to relying parties.

For further information, please see the Service Policy Disclosure Statement. This can be found by clicking on the Service Policy Disclosure Statement link in the How We Can Help section at:


The tScheme Code of Conduct

Participants in the electronic trust services industry strive: