The established standards of electronic signatures support two basic requirements: establishing the identity of the signer while binding it with the signer’s cryptographic material and helping to ensure that the object signed cannot be changed without detection.
However, there is a third aspect of electronic signatures that is addressed by standards—establishing trust in the credential, and in turn the signature itself. How you go about establishing that the owner of a digital certificate and the creator of a signature is who he or she says they are is not an easy task. Much like the paper world, a structure needs to be set up to define how to establish that trust and at what level, for various workflows and relationships.
Organizations can, and have, created bilateral and multilateral trust relationships wherein each other’s electronic signatures and certificates will be trusted. Yet this does not provide a framework for broader, general use of electronik signatures by disparate populations of users.
Recently, the EC has also been taking a closer look at trust interoperability and cross-border use of signatures.
Authentication service providers issuing qualified certificates to the public must be supervised by the Member State which they are established and may be accredited voluntarily accredited in any Member State. Until now, Member States have managed the list of these authentication providers in different ways and have not harmonized with regards to the information provided. In contex of eIDAS, EU member states are expected to agree on a national template of " Trusted List of supervised/accredited Certification Service Providers", by which information will be provided by each Member State regarding the supervision or accreditation status of these CSPs, and their compliance with the relevant provisions of EIDAS .
This common template is compliant with an implementation based on the Trust-service Status List (TSL) specifications from ETSI TS 119 612 V2.1.1. In order to facilitate the practical usability of the national Trusted Lists, the EC established to create, publish and maintain, on a protected website, a Compiled List of pointers towards Member States’ Trusted Lists. Any application that wishes to verify the supervision/accreditation status of those Authentication service providers when validating electronic signatures (for example, a QES or an AdES based upon qualified certificates), can consult the Commission website and List of Trusted Lists (LOTL).
Trusted List
Each Member State shall establish, maintain and publish in accordance with the technical specification a ‘trusted list’ containing the minimum information related to the certification service providers issuing qualified certificates to the public who are supervised/accredited by them.
Purpose of the Trusted List
EIDAS provides the qualified electronic signature with a specific legal value. However, in the absence of a trusted list the relying party cannot know if a signature is really qualified without investing unreasonable auditing resources. Under those circumstances, a relying party could well argue that it would not be required to recognise a qualified electronic signature.
A Trusted List would eliminate this risk. Certificate providers issuing qualified certificates listed on the Trusted List are by definition supervised, thus their qualified certificates are trustworthy, and thus the legal value of their signatures can no longer be reasonably contested by any relying party.
The elimination of this risk is the goal, effect and legal value of the Trusted Lists.
Forms of the Trusted List
Member States have to establish and publish their Trusted List in a “human readable” form and also a "machine processable" form which would allow automated information retrieval.
Trusted List in business
Trusted List can also be used in Business to Business (B2B) and Business to Consumers (B2C) transactions.