1.    Introduction

Pursuant to Article 4(3) of Commission Implementing Decision (EU) 2015/1505, the European Commission (hereafter the Commission ) makes available to the public, through a secure channel to an authenticated web server, the information notified by Member States under Articles 4(1) of Implementing Decision (EU) 2015/1505, in a signed or sealed form suitable for automated processing.

The information notified by Member States is compiled and made available as a signed or sealed XML machine-processable form, called the list of trusted lists (hereafter the LOTL ).

Prior to any interpretation of the LOTL, its authenticity and integrity shall be verified by relying parties.

To that end, relying parties should:

a.     retrieve the LOTL from a secure location (hereafter LOTL location ); and

b.     verify that the LOTL has been signed/sealed with a private key corresponding to one of the authorized certificates (hereafter the LOTL-signing certificates ).

The verification referred to in point b. above may involve the processing of so-called “pivot LOTLs”.

The present text intends to provide to relying parties explanative information on such pivot LOTLs.

2.    Definitions and abbreviations

For the purpose of the next sections, the following definitions and abbreviations apply:


-       “LOTL-signing certificates” means the set of certificates whose corresponding private keys are authorised to sign or seal the LOTL.

-       “LOTL location” means the secure location where the LOTL is made available by the Commission.

-       “pivot LOTL” means a publicly available historized specific instance of a LOTL, whose location is referenced in the field <SchemeInformationURI> of the LOTL.

-       “LOTL” is the abbreviation of “list of trusted lists”.

-       “OJEU” is the abbreviation of “Official Journal of the European Union”.

3.    States of the LOTL

In order to introduce the concept of the pivot LOTLs, the present document defines two states in which the LOTL can be:

1.      Direct state: the <SchemeInformationURI> field of the LOTL does not contain any URI ending with “.xml” (that is, it does not reference any pivot LOTLs).

2.      Anchored state: the <SchemeInformationURI> field of the LOTL contains one or more URI ending with “.xml” (that is, it contains one or more references to pivot LOTLs).

Those states are defined purely to support the explanations that follow and are not intended to formally define in any way new terms to be used outside of this text.

4.    Pivot LOTL mechanism

In order to support the verification of the authenticity and integrity of the LOTL by relying parties, the Commission publishes in the OJEU a set of certificates and an URL.

Note 1: At any point in time, the Commission may replace this URL and set of certificates via a new OJEU publication. However as will be seen in the ensuing explanations, the pivot mechanism mitigates the risk resulting from sudden changes for relying parties.

When the LOTL is in a “direct state”, the location where the LOTL should be retrieved is the URL published in the latest relevant OJEU publication, and the set of LOTL-signing certificates is the exact set of certificates in that publication.

The Commission may however decide at any point in time to change the LOTL location or the set of LOTL-signing certificates. Such a change may, as a machine-processable approach, be done by publishing the related modifications in the LOTL itself. Upon such modifications in the LOTL, an instance of the modified LOTL is immediately archived and the location of that archived LOTL is referenced in the LOTL itself. Such an archived LOTL is referred to as a “pivot LOTL”, as it represents a pivot point in the historical values of the LOTL location and/or the LOTL-signing certificates.

From a technical perspective, the LOTL location, LOTL-signing certificates, and the location of archived pivot LOTLs are included in the LOTL as such:

·     The element <OtherTSLPointer> with EU <SchemeTerritory> of the field <PointersToOtherTSL> contains the LOTL location together with the LOTL-signing certificates encoded in base64 format;

·     The field <SchemeInformationURI> contains, in reverse chronological order, that is, showing the most recent publication first, the list of:

-   zero or more URLs ending with “.xml” where the archived preceding pivot LOTLs are published, back until and followed by

-   the URL of the latest publication relevant to LOTL in the OJEU.

In this respect, once the decision of the Commission to modify the LOTL-signing certificates is reflected in a publication of a pivot LOTL, relying parties may detect such a modification in a machine processable way in the LOTL, namely from changes of:

·     The element  <OtherTSLPointer> with EU <SchemeTerritory> of the field <PointersToOtherTSL> ;

·     The field <SchemeInformationURI> .

When a pivot LOTL is referenced in the <SchemeInformationURI> field of the LOTL, the LOTL is then in an “anchored state”.

The procedure for verifying the authenticity and integrity of the LOTL when it is in an anchored state is described in the next two sections, depending on whether the pivot LOTLs reflect a change of:

a.      LOTL-signing certificates; or

b.      LOTL location.

5.    Changes of LOTL-signing certificates

The list of pivot LOTLs forms a virtual chain of changes regarding the LOTL-signing certificates, starting from the initial situation where the LOTL was in a “direct state” up to the current one.

To conclude on the current set of LOTL-signing certificates in order to validate the signature of the LOTL, one shall reconstruct that chain of changes from the list of pivot LOTLs.

When verifying the authenticity and integrity of the LOTL, relying parties should, starting from the LOTL available from the LOTL location specified in the latest relevant publication in the OJEU, reconstruct the chain of changes from the list of pivot LOTLs to conclude on the current set of LOTL-signing certificates:

  1. Based on the content of the LOTL published at the LOTL location, retrieve the location(s) of all pivot LOTLs present in the field <SchemeInformationURI>
  2. If no pivot LOTL is present, the current set of LOTL-signing certificates is the initial set in the above-mentioned publication of the OJEU;
  3. If pivot LOTLs are present: In the chronological order, for each pivot LOTL published at pivot LOTL location(s), verify the authenticity and integrity of the list; using:
    1. for the first pivot LOTL, the set of initial LOTL-signing certificates specified in the above-mentioned publication of the OJEU; or
    2. for following pivot LOTLs, using the set of certificates specified in <OtherTSLPointer> with EU <SchemeTerritory> of the field <PointersToOtherTSL> of the previous pivot LOTL in that ordered list;
    3. The final result is the current set of LOTL-signing certificates.

Transition period observed by the Commission regarding the changes of LOTL-signing certificates

After the publication of the pivot LOTL announcing changes in LOTL-signing certificates, relying parties have 15 days (the duration of the transition period) to take these changes into account.

It is highly recommended to take these changes into account during the transition period rather than after it, as:

·     During the transition period, there will be no impact on the ability to verify the authenticity and integrity of the LOTL, as the Commission will take the relevant measures for not using the newly-announced LOTL-signing certificates during the transition period.

·     After the transition period, there may be an impact on the ability to verify the authenticity and integrity of the LOTL, as the Commission may decide to sign/seal the LOTL with one of the newly-announced LOTL-signing certificates.

6.    Changes of LOTL-location and associated transition period

A description of the procedure followed by the Commission for announcing and making effective changes of the LOTL-location is provided in the table below as a sequence of events occurring at labelled times :

Time T1.      The decision is taken to change the location where the current instance of the LOTL is published.


Time T2.      That LOTL new location is known and ready for use.


Time T3.      The current instance of the LOTL is published at that LOTL new (future) location in addition to being published at the LOTL old (current) location. From that time T3, any new instance of the LOTL will be published at both locations.


Time T4.      A new instance of the LOTL is published (at both locations) as a pivot LOTL, in order to formally establish the existence of the LOTL new location. This pivot instance, like any pivot instance of the LOTL, is archived at a separate location whose URI is added, in reverse chronological order – that is, showing the most recent publication first – to the values of the field <SchemeInformationURI>

of this instance of the LOTL and all future instances of the LOTL.

This pivot LOTL includes:

a.     The new location of the LOTL in the element <OtherTSLPointer> with EU <SchemeTerritory> of the field <PointersToOtherTSL> , pointing to the LOTL.

b.     A new entry in the field <SchemeInformationURI> on top of the existing list of entries. This new entry points to (locates) the archived version of that new pivot LOTL.


Time T5.      A new OJEU publication has been written, translated in all languages, and sent for publication. The new OJEU publication is published.

Note 1: This publication is expected to occur within the 15 days of the publication of the pivot LOTL announcing the new location (or at least before the date and time where the old location is no longer used by the Commission to publish the LOTL when this occurs after the 15 days starting from the realisation of Time T4 event above).


The location of this new publication is obviously determined but still is not widely known. This OJEU publication:

a.    Specifies the new location of the LOTL;


Note 2: Formally, this new location is already officialised. This new OJEU publication confirms that new location.


b.    Lists the LOTL-signing certificates that are in force at the time of the publication. Those certificates correspond to the ones listed in the latest publication of the LOTL. This new related OJEU publication will not specify the addition or removal of new LOTL-signing certificates;


Note 3: Any addition or removal of new LOTL-signing certificates will be made by means of a pivot LOTL either before the finalisation of the content of the OJEU publication, or after the publication of the next LOTL that will reference 2 OJEU locations in its field <SchemeInformationURI> .


c.    Announces a future reset of the list of the pivot LOTLs (appearing in the field <SchemeInformationURI> ) and establishes an associated transition period which:

i.     Will start with the publication of the next LOTL that will reference 2 OJEU locations in its field <SchemeInformationURI> ; and

ii.     Will end with the publication of the next LOTL that will reference only one OJEU location in its field <SchemeInformationURI> ; and

iii.     Will have a duration of at least 15 days.


d.    If necessary and not already done by a previous OJEU publication, might specify an extension of the period during which the old location of the LOTL is maintained and may be used to access and validate the LOTL. The end of this extension will necessarily coincide with the end of the transition period established in point T5.c above.


Time T6.       


a.    The transition period starts with the publication of a new LOTL with the addition, as first value in its field <SchemeInformationURI> , of the location of the new OJEU publication. This is the LOTL that references 2 OJEU locations in its field <SchemeInformationURI> as referred to in bullet T5.c.(i) above.

b.    For relying parties’ convenience, the publication referred to in point T6.a is followed without delay of a pivot LOTL, whose aim is to convey the LOTL location and LOTL-signing certificates as they appear in the new OJEU publication.

Note 1: From the publication referred to in point T6.a:

·      LOTL relying parties can detect that a new publication in the OJEU is to be taken into account;

·      The countdown to the end of the transition period referred to in point T5.b has started and LOTL relying parties are strongly advised to update their software configuration, as after the end of this transition period the Commission is entitled to either remove the old location, reset the list of the pivot LOTLs or both.


Note 2: If there is a need to change to the list of LOTL-signing certificates after the new OJEU publication has occurred (Event (T5) above) and before Event (T6) occurs, this change has to wait for Event (T6) to take effect. The publication of the corresponding pivot LOTL has to wait for Event (T6) to occur, so that in the field <SchemeInformationURI> this pivot LOTL appears before (on top of) the location of the new OJEU publication. This ensures that the content of the new OJEU publication is indeed in sync with the LOTL and the list of pivot LOTLs.


Note 3: Once the new OJEU publication appears in the field <SchemeInformationURI> (i.e. from this publication resulting from Event (T6)), one or more new pivot LOTLs might be published to communicate new LOTL-signing certificates.


Time T7.      The transition periodends with the publication of a new LOTL, which resets the pivots (i.e. removing the URI indicating the old OJEU publication and the pivot LOTLs added between the two OJEU location URIs. This LOTL has only one OJEU location in its field <SchemeInformationURI> (and potentially no, one or more pivot LOTL “on top of it” in the field <SchemeInformationURI> ).


In light of the procedure described above, relying parties can detect a change of LOTL location by monitoring the value of the <TSLLocation> element in the element <OtherTSLPointer> with EU <SchemeTerritory> of the field <PointersToOtherTSL> .

Furthermore, they can also detect that a new OJEU publication has occurred by monitoring the field <SchemeInformationURI> and be alerted that the transition period during which a change of configuration should be performed has begun.

During a transition period, at any moment, relying parties may update their configuration files without any impact on the processing of the LOTL:

1.     When using the old URI of the OJEU location, pivot LOTLs are processed (without taking into account the second location of the OJEU but taking into account the pivot LOTLs published after the inclusion of this OJEU URI in the field <SchemeInformationURI> , hence added as <SchemeInformationURI> entries on top of the corresponding OJEU URI entry in the field <SchemeInformationURI> ) and the processing is informed about the existence of a new OJEU (location) considering the existence of a second OJEU URI in the field <SchemeInformationURI> .

2.     When using the new URI of the OJEU location, only pivot LOTLs appearing before (“on top of”) the URI of the new location of the OJEU are processed.

Note 1: Because the list of URIs in the field <SchemeInformationURI> is in reverse chronological order, a pivot LOTL published after another element (e.g. pivot LOTL or OJEU publication), will appear before (“on top of it”) in that list.

The table below provides an example that illustrates this procedure. In that table, each cell on the left represent an instance of a LOTL with:

·     LOTL Sn [X] representing the “Sequence number” [X] of that instance

·     “Siu” representing the values contained in the field <SchemeInformationURI> of that instance where those values are represented as:

o   P[Y] representing a pivot LOTL with “Sequencenumber” [Y];

o    OJEU [Z] representing an OJEU publication URI labeled by [Z].

·     “PTOTSLEU” representing the values contained in the field <PointersToOtherTSL> of that instance where:

o    Old-Loc represents the URI of the LOTL location that is being or has been changed;

o    C[n] represents a certificate labelled by [n].

·     Signature (C[n]) representing the signature of that instance where “C[n]” represents the certificate supporting that signature.

The right cells represent events that occur when the “left-cell” LOTL instance is in force.


LOTL into force at that time

Events

LOTL Sn 998

“Siu”: P969, P811, OJEUxyz, …

“PTOTSLEU”: Old-LOC // C2, C4, C5

Signature (C4)

T1.  Decision taken to change the LOTL location

LOTL Sn 999

“Siu”: P969, P811, OJEUxyz, …

“PTOTSLEU”: Old-LOC // C2, C4, C5

Signature (C2)

T2.  New LOTL location ready

LOTL Sn 999

“Siu”: P969, P811, OJEUxyz, …

“PTOTSLEU”: Old-LOC // C2, C4, C5

Signature (C2)

T3.  LOTL published at both locations

LOTL Sn 1000

“Siu”: P1000, P969, P811, OJEUxyz

“PTOTSLEU”: New-LOC // C2, C4, C5

Signature (C5)

T4.  New pivot LOTL changing the LOTL location

LOTL Sn 1001 to Sn 1009

New instances of the LOTL publishing changes notified by theMember States (in the
corresponding MS entry of the LOTL PTOTSLs
element)

LOTL Sn 1010

“Siu”: P1010, P1000, P969, P811, OJEUxyz,

          

“PTOTSLEU”: New-LOC // C4, C6, C7

Signature (C4)

New pivot due to the need for changing LOTLSO certificates

LOTL Sn 1011 to Sn 1017

New instances of the LOTL publishing changes notified by the Member States (in the corresponding MS entry of the LOTL PTOTSLs element)

LOTL Sn 1018

“Siu”: P1010, P1000, P969, P811, OJEUxyz,

          

“PTOTSLEU”: New-LOC // C4, C6, C7

Signature (C6)

T5.  Publication of the new OJEU.

LOTL Sn 1018 to Sn 1019

No publication of pivot LOTL between Event (T5) and Event (T6).

New instances of the LOTL publishing changes notified by the Member States.

LOTL Sn 1020

“Siu”: OJEUabc, P1010, P1000, P969, P811, OJEUxyz, …

“PTOTSLEU”: New-LOC // C4, C6, C7

Signature (C7)

T6.  a. Publication of a new LOTL with, as first value in its <SchemeInformationURI> element, the location of the new OJEU publication

Transition period starts now.

LOTL Sn 1021

“Siu”: P1021, OJEUabc, P1010, P1000, P969, P811, OJEUxyz, …

“PTOTSLEU”: New-LOC // C4, C6, C7

Signature (C6)

T6.  b. Publication of a pivot LOTL, whose aim is to convey the LOTL location and LOTLSO certificates as they appear in the new OJEU publication.

LOTL Sn 1022

“Siu”: P1022, P1021, OJEUabc, P1010, P1000, P969, P811, OJEUxyz, …

“PTOTSLEU”: New-LOC // C7, C8, C9

Signature (C7)

New pivot due to the need for changing LOTLSO certificates

LOTL Sn 1022 to Sn 1026

New instances of the LOTL publishing changes notified by the Member States (in the corresponding MS entry of the LOTL PTOTSLs element)

LOTL Sn 1027

“Siu”: P1022, P1021, OJEUabc, …

“PTOTSLEU”: New-LOC // C7, C8, C9

Signature (C9)

T7.  Publication of a new LOTL which resets the pivots (“below” the OJEUabc entry in the “Siu”).

Transition period ends now.

The old location of the LOTL may be (is) disabled.

LOTL Sn 1028

“Siu”: P1028, P1021, OJEUabc, …

“PTOTSLEU”: New-LOC // C7, C8, C10

Signature (C8)

New pivot due to the need for changing LOTLSO certificates

LOTL Sn 1029 to Sn …

[ See also the FAQ entry for pivot LOTL ]