Swiss Trusted List of trust service providers and their services


Scope and context of the Swiss Trusted List

Trusted lists are essential elements in building trust among electronic market operators by allowing users to determine the qualified status and the status history of trust service providers and their services.
The Swiss Trusted List allows users of certification services and interested parties to determine the qualified status and the status history of trust service providers and their services.
The Swiss Trusted List includes information related to the qualified trust service providers (TSPs) which are recognised and supervised in Switzerland, together with information related to the qualified trust services provided by them, in accordance with the relevant provisions laid down in the Federal Act of 18 March 2016 on Electronic Signatures (SR 943.03).
The Swiss Trusted List includes only recognised TSPs and only their services that meet the requirements (see section Rules for assessment of the listed services below).
The Swiss Accreditation Service (SAS) is responsible for publishing the Swiss Trusted List.
The Swiss Trusted List is available in a machine-readable format (XML) via the following link https://trustedlist.tsl-switzerland.ch/tsl-ch.xml. A human-readable list (PDF file) of recognised TSPs is available on the webpage https://www.sas.admin.ch/sas/en/home/akkreditiertestellen/akkrstellensuchesas/pki1.html.

Description and information about the national recognition and supervision scheme

In order to issue regulated and qualified certificates within the meaning of the Federal Act of 18 March 2016 on Electronic Signatures (SR 943.03), trust service providers must first be recognised in accordance with the conditions laid down in the act, ordinance and technical and administrative regulations on electronic signatures (see section Rules for assessment of the listed services below). After recognition, the trust service providers are supervised to ensure that the provided trust services continue to meet the requirements.
The Federal Office of Justice (FOJ) https://www.bj.admin.ch/bj/en/home.html and the Federal Office of Communications (OFCOM) https://www.bakom.admin.ch/bakom/en/homepage.html set the requirements.
The accredited recognition body is in charge of recognition and supervision of the TSPs in accordance with the conditions laid down in the Federal Act of 6 October 1995 on Technical Barriers to Trade (SR 946.51) and the corresponding implementing provisions. The assessment procedures comply with the rules of the ISO/IEC 17021 standard. The recognition body is responsible for granting and withdrawing the qualified status for TSPs. KPMG Ltd https://home.kpmg/ch/en/home.html is currently the only accredited recognition body.
The Swiss Accreditation Service (SAS) https://www.sas.admin.ch/sas/en/home.html accredits the recognition bodies in accordance with the provisions of the Accreditation and Designation Ordinance of 17 June 1996 (SR 946.512). The SAS is responsible for publishing the list of recognised TSPs. The SAS establishes, maintains and publishes the Trusted List in collaboration with the Federal Office of Communications (OFCOM).

Rules for assessment of the listed services

TSPs and their services included in the Swiss Trusted List are assessed against the provisions laid down in:
-the Federal Act of 18 March 2016 on Certification Services in the Area of the Electronic signature and other digital certificate applications (Federal Act on Electronic Signatures, SR 943.03),
-the Ordinance on Certification Services in the Area of the Electronic signature and other digital certificate applications (Ordinance on Electronic Signatures, SR 943.032),
-the technical and administrative regulations on Certification Services in the Area of the electronic signatures and other digital certificate applications.
The links to these documents are published on https://www.bakom.admin.ch/bakom/en/homepage/digital-switzerland-and-internet/digital-communication/electronic-signature.html

Interpretation of the Trusted List

The trust service provider is identified by the TSP information field values. The trust service is identified by the Service Name and the Service Digital Identity field values. The Swiss Trusted List includes only recognised TSPs and only their services that meet the abovementioned requirements (see section Rules for assessment of the listed services above).
The Trusted List includes both current and historical information about the status of the listed trust services. The qualified status of a trust service is indicated by the combination of the Service Type Identifier value in a service entry and the status according to the Service Current Status field value as from the date indicated in the Current Status Starting Date and Time field.
In the context of the Swiss Trusted List the following URIs apply to identify the current status of the listed trust services:

https://uri.tsl-switzerland.ch/TrstSvc/TrustedList/Svcstatus/granted
indicates that following ex ante and active approval activities, in compliance with the provisions laid down in the Swiss Federal Act on Electronic Signatures, the accredited recognition body in charge of recognition and supervision of the TSPs in Switzerland has granted the "recognised" status to the trust service identified in "Service digital identity", and to the trust service provider identified in "TSP name" for the provision of that service. The "recognised" status corresponds to the "qualified" status granted by the European supervisory bodies.

https://uri.tsl-switzerland.ch /TrstSvc/TrustedList/Svcstatus/withdrawn

indicates that the "recognised" status previously granted in compliance with the provisions laid down in the Swiss Federal Act on Electronic Signatures has been withdrawn by the accredited recognition body in charge of recognition and supervision of the TSPs in Switzerland from the trust service being identified in "Service digital identity", and from its trust service provider identified in "TSP name" for the provision of that service.

In the context of the Swiss Trusted List the following URIs apply to identify the service type of the listed trust services :

https://uri.tsl-switzerland.ch/TrstSvc/Svctype/CA/QC
indicates a trust service creating and signing qualified or regulated certificates based on the identity and other attributes verified by the relevant registration services, and under which are provided the relevant and related revocation and certificate validity status information services (e.g. CRLs, OCSP responses) in accordance with Swiss Federal Act on Electronic Signatures in force at the time of provision. This may also include generation and/or management of the associated private keys on behalf of the certified entity.
When the listed service is a "root" certificate generation service issuing certificates to one or more subordinates certificate generation services and from which a certification path can be established down to a certificate generation service issuing end-entity qualified certificates, this service type is further identified by using the "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/RootCA-QC" identifier which is included in the additionalServiceInformation extension according to ETSI TS 119 612 clause 5.5.9.4 within a Service information extension.
When applicable, this service type is further specified through the use of an additionalServiceInformation extension according to ETSI TS 119 612 clause 5.5.9.4 within a Service information extension by using the appropriate identifiers indicating the nature of the qualified certificates for which the qualified status has been granted, i.e. qualified certificates for electronic signatures, qualified certificates for electronic seals, and/or qualified certificates for website authentication.
When the certificate validity status information (e.g. CRLs, OCSP responses) related to the qualified certificates issued by the listed "CA/QC" identified service are not signed by the private key corresponding to the listed public key and when no certificate chain/path exists from the related certificate validity status information services (either CRL issuing entities or OCSP responders) to the listed "CA/QC" identified service public key, those certificate validity status information services are listed separately.


This "CA/QC" "Service type identifier" also indicates that any end-entity certificate issued by or under the CA represented by the "Service digital identifier" ("Sdi") CA's public key and CA's name (both CA data to be considered as trust anchor input), is a qualified certificate (QC) provided that it includes the id-etsi-qcs-QcCompliance ETSI defined statement (id-etsi-qcs 1) and provided this is ensured by the Recognition Body through the valid service status recognised in Switzerland.

https://uri.tsl-switzerland.ch/TrstSvc/Svctype/Certstatus/OCSP/QC
indicates a certificate validity status information service issuing Online Certificate Status Protocol (OCSP) signed responses and operating an OCSP-server as part of a service from a recognised trust service provider issuing qualified or regulated certificates, in accordance with the Swiss Federal Act on Electronic Signatures in force at the time of provision.

https://uri.tsl-switzerland.ch/TrstSvc/Svctype/Certstatus/CRL/QC
indicates a certificate validity status information service issuing and signing Certificate Revocation Lists (CRLs) and being part of a service from a recognised trust service provider issuing qualified or regulated certificates, in accordance with the Swiss Federal Act on Electronic Signatures in force at the time of provision.

https://uri.tsl-switzerland.ch/TrstSvc/Svctype/TSA/QTST
indicates a qualified electronic time stamp generation service creating and signing qualified electronic time stamps, in accordance with the Swiss Federal Act on Electronic Signatures in force at the time of provision.

https://uri.tsl-switzerland.ch/TrstSvc/Svctype/RemoteQSCDManagement/Q
indicates a qualified service for remote Signature or seal Creation Device management which supports generation and management of signature creation data within signature creation device on behalf and under control of remote signers or seal creators, in accordance with the Swiss Federal Act on Electronic Signatures in force at the time of provision.

"Service digital identifiers" are to be used as Trust Anchors in the context of validating electronic signatures or seals for which signer's or seal creator's certificate is to be validated against TL information, hence only the public key and the associated subject name are needed as Trust Anchor information. When more than one certificate are representing the public key identifying the service, they are to be considered as Trust Anchor certificates conveying identical information with regard to the information strictly required as Trust Anchor information. The general rule for interpretation of any other "Sti" type entry is that, for that "Sti" identified service type, the listed service named according to the "Service name" field value and uniquely identified by the "Service digital identity" field value has the current qualified or approval status according to the "Service current status" field value as from the date indicated in the "Current status starting date and time".

The list is drawn up in accordance with the specification ETSI TS 119 612 (available in the Standards section of https://www.etsi.org/). Please refer to this specification for further information concerning the meaning of the field values.

Authenticity and updates of the trusted list

The authenticity of the Trusted list can be checked by verifying the digital signature on the list using the corresponding verification certificate. You can download the certificate in either binary (DER) or text (Base64 encoded) format. The certificate thumbprint is e8 63 83 62 51 30 bd f0 1e 42 a3 17 65 01 e0 79 26 1b 13 7f.

The existence of a new version of the Trusted list can be determined by checking the SHA256 digest value of the published trusted list.


Contact information

Swiss Accreditation Service (SAS) https://www.sas.admin.ch/sas/en/home/ueberuns/kontakt.html
KPMG Ltd.  https://home.kpmg/ch/en/home/misc/contact.html
Federal Office of Justice (FOJ) https://www.bj.admin.ch/bj/en/home/das-bj/kontakt.html
Federal Office of Communications (OFCOM) https://www.bakom.admin.ch/bakom/en/homepage/ofcom/contact.html