tScheme Website, BT - Managed Secure Messaging

Index of documents supporting the Grant of Approval to BT Global Banking and Financial Markets’ Radianz Messaging Service.

What the tScheme Approved Service Mark signifies.

Approved Service - Service Description

Approval Profiles used in the assessment:

Base Approval Profile	tSd0111	3.00

Approval Profile for Registration Services	tSd0042	3.02

Approval Profile for a Certification Authority	tSd0102	3.01

Approval Profile for Signing Key Pair Management	tSd0103	3.02

Approval Profile for Certificate Generation	tSd0104	3.01

Approval Profile for Certificate Dissemination	tSd0105	3.01

Approval Profile for Certificate Status Management	tSd0106	3.01

Approval Profile for Certificate Status Validation	tSd0107	3.01

Back to Grant details

What the tScheme Approved Service Mark signifies

When a trust service carries the tScheme Mark, you can be secure in the knowledge that:

the service has been thoroughly evaluated against rigorous criteria by independent experts;
the service provider has agreed to keep to these criteria;
the service provider subscribes to the tScheme Code of Conduct;
the service provider has agreed to act promptly and fairly to remedy faults.

For each service, tScheme approval is regularly reviewed and may be withdrawn.

This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.

top

Approved Service - Service Description

The subject service of this Grant of Approval is the Radianz Messaging Service from BT Global Banking and Financial Markets.

BT owns and operates a fully managed secure messaging infrastructure through which services are delivered to customers in the Financial Services Community.

The security of the infrastructure and services is based upon an underlying PKI, for which BT operates as the Certificate Authority (CA) providing two types of Certificates, Qualified Signing Certificates conforming to the requirements of [EC Directive 1999/93/EC on a Community framework for electronic signatures] and Encryption Certificates. The PKI architecture includes an online Certificate Issuing CA and an off-line Root CA, both of which are in scope of the tScheme certification.

The PKI services include:

Certificate Authority (CA) Service: - this covers the overall provision and life-cycle management of Certificates;
Registration Authority (RA) Service: � Subscribers must be ‘registered’ to use the PKI. The RA service manages the registration and validation of Subscribers and validates Certificate requests received from registered Subscribers;
Certificate Generation: � on receipt of a validated certificate request the Certificate Generation service creates Certificates for delivery to the requester;
Certificate Dissemination: � this service provides for the secure distribution of Certificates to the requester;
Certificate Status Management: � once a Certificate becomes effective it is considered to be valid until its expiration date. Exceptionally a Certificate may become invalid prior to expiration;
Certificate Status Validation: � for Certificate status to be determined Certificate revocation information must be made available;
Signing Key Pair Management: � this is the provision of signing keys for use by Subscribers;
Encryption Key Pair Management: � provision of encryption keys for customers and also BT for use within the infrastructure (e.g. firewalls);
Non-Repudiation Service: � see Non-Repudiation Policy.

The PKI Service is utilised as part of the Secure Network Solution which is delivered to community members. The RA and CA Certificate Subscription and Issuance models are defined within the Registration Guide.

A Certificate Policy and a Certification Practice Statement are produced which govern how the PKI services are managed. These are published at https://www.radianzmessaging.bt.com/BTMSM/RMDocuments.aspx.

The Qualified Certificates are used for:

Digital Signature: - a cryptographic mechanism to simulate a signature in digital, rather than written, form;
Non-repudiation: - Non-repudiation is the concept of ensuring that a contract/instruction cannot later be denied by either of the parties involved;
Certificate Signing: - when the subject public key is used for verifying a signature on public key certificates;
CRL Signing: - when the subject public key is used for verifying a signature on a Certificate Revocation List (CRL).

The Encryption Certificates are used for:

Key_Encryption: - preventing unauthorised disclosure of private keys or session keys;
Data Encryption: - preventing unauthorised disclosure of message content.

The PKI delivers electronic trust services to its member Community. The end-entities within that Community are represented by Gateways (computer-based applications) fitted with hardware cryptographic devices to facilitate the security-enforcing features of the PKI.

BT management systems also use Certificates issued by the CA.

BT has a dedicated support team which provides 24x7 cover for the infrastructure and the services provided across that infrastructure, including the electronic trust services. The support operation is accessible through a single point of contact.

(Issue 1.9, Feb 2016)

top

The tScheme Code of Conduct

Participants in the electronic trust services industry strive:

to act in an honest, fair, reasonable and trustworthy manner;

not to bring electronic trust services into disrepute;

to provide clear information about what each electronic trust service provides, including limitations and exclusions, to those who rely on that service;

to meet service commitments and obligations;

to be proactive in identifying and correcting faults and deficiencies in electronic trust services;

to operate in accordance with appropriate standards;

to act promptly in resolving complaints relating to electronic trust services.

top

Sub Headings

European Directive

Accessibility