The OISTE Trust Model

 

 

Founded in Switzerland in 1998, OISTE was created with the objectives of promoting the use and adoption of international standards to secure electronic transactions, expand the use of digital certification and ensure the interoperability of certification authorities’  transaction systems. The OISTE Foundation is a not for profit organization based in Geneva, Switzerland, regulated by article 80 et seq. of the Swiss Civil Code. OISTE is an organization in special consultative status with the Economic and Social Council of the United Nations (ECOSOC) and belongs to the Not-for-Profit constituency (NPOC) of the ICANN. More information: http://www.oiste.org

 

OISTE is the sole owner of a set of Root Certification Authorities, ensuring the independence of the Trust Model and isolating the users of the WISeKey Trust Services of possible changes in the ownership of WISeKey. As owner of the Roots, OISTE delegates in WISeKey the role of “Operator of the Trust Model”. Under this assignment, WISeKey operates the PKI and provides commercial trust services, but always under the supervision of the Foundation, who has the ultimate responsibilities to:

• Approve and Control the Subordinate Certification Authorities operating under the OISTE Roots
• Define the Certificate Policies that regulate the different types of identities that can be issued under the Trust Model: Identities for Persons, Applications and Objects
• Define the Certificate Practices Statement, that estipulate how the Certification Authorities will operate

OISTE allows third parties to operate under the Roots, and act as Subordinate Certification Authority, always when all the internal and external regulations are met, and when this compliance is demonstrated by means of an independent audit.
Both OISTE and WISeKey are subject periodically to these independent audits.

OISTE has developed a novel institutional and trust management framework that enables the Entity using it to convey trust through the segregation of ownership of components of the technological infrastructure, intellectual property rights, and policy creation authority among entities that are, by law, structured differently and in a manner that reinforces the management of trust. The institutional framework is composed of the following entities:

• Foundation: a legal entity in the form of a foundation as legally structured in Switzerland or its functional equivalent in other jurisdictions or internationally (herein the “Foundation”);
• Operator: A separate legal entity contractually bound to pursue the objectives of the Foundation (herein the “Operator”);
• Auditor: The independent auditor directly or indirectly designated by the Foundation;
• Supervisory Authority: The supervisory authority of the Foundation (in Switzerland this is the Swiss Federal Government);
• Policy Approval Authority: The PAA is a committee within the Foundation that has the mandate of drafting, adopting and maintaining the policies applicable to the Trust Management Infrastructure;
• Users: These are the communities of trust or individuals of such communities that form part of the Trust Management Infrastructure as clients of the Operator that wish to form part of or wish to be connected in some form or another to the Trust Management Framework and are accepted by the Operator to form part of it. They can be public or private sector entities, interoperable or not, in vertical sectors or across sectors (e.g.biometric passports, electronic ID systems, digital TV authentication systems,employee ID cards, etc.).
• The Trust Communities or Users of the Trust Management Infrastructure installed by,serviced by or the users of other such infrastructures that wish to form part of the institutional framework and are accepted as members by the Foundation.

In accordance with the Swiss law (and the law of many other jurisdictions), foundations do not have shareholders but are composed of capital and have an objective they must pursue. Under Swiss law, foundations are subject to annual audits by qualified and certified auditors and to supervision by the Swiss federal government to ensure that the capital of the foundation is used in conformity with the objectives of the foundation (Art. 84 Swiss Civil Code)

The OISTE Trust Model allows affiliates to adhere to it and operate Issuing CAs under the “Standard” and “Advanced” Policy Certification Authorities. A comprehensive description of the different certificate profiles is available in http://www.oiste.org/repository.

Affiliates can be enabled to issue these certificates:

• Standard Certificates: aimed to e-mail protection and non-legally binding digital signatures. These certificates reference an e-mail address, not the person’s identity.
• Advanced Certificates: aimed to legally binding signatures and a higher level of security. Advanced Certificates can be issued to:
  • Physical persons or individuals
  • Legal persons or corporations
  • Applications (i.e. SSL Certificates)
• Device Certificates: specially adapted for the needs of connected devices in the Internet of Things