At a glance
- You can use the UK trusted list to check the details and status of qualified trust service providers.
- You can download the trusted list, authenticate it to check it is legitimate and monitor it to determine when its content changes.
- What is the UK trusted list?
- How can I check the details and status of a qualified trust service?
- Where can I get the trusted list?
- How can I check the authenticity of the trusted list?
- How can I check when the trusted list changes?
- Why has the trusted list moved to the ICO?
- Will tScheme continue to also publish the trusted list?
- What is the ‘final EU UK’ trusted list’?
- Will the ICO publish a PDF version of the list?
- How can I get more information of the trusted list move?
The UK trusted list shows whether a trust service provider has been granted qualified status and which of its services are qualified. The trusted list is the single authoritative source you can use to verify that the ICO has granted a trust service provider, and one or more of its services, with qualified status.
The trusted list contains an entry for each qualified trust service provider. This entry contains details such as:
- the qualified trust service provider name and address;
- when qualified status was granted;
- the types of services that have been approved as qualified;
- what the services can be used for, and
- associated historical information (where applicable) on the provided services.
When you are verifying a trust service output, eg a qualified electronic signature, you may need to check the UK trusted list as part of your verification procedures.
The ICO hosts the trusted list. It is available in a machine-readable format (XML). To support publication of the trusted list there is also a SHA256 digest file of the list to support monitoring of changes to the list, and a list verification digital certificate to verify the digital signature on the list.
You can check the authenticity of the trusted list by verifying the digital signature on the list using the ICO verification certificate. You can download the certificate in either binary (DER) or text (Base64 encoded) format. The certificate thumbprint is a3 ad 36 4f 7f af d5 7b f7 0c e0 3d e0 f4 89 33 d7 12 07 a2.
The verification certificate may be changed up to 1 year prior to expiry and you can check these pages before that time for notification of any change.
You can monitor for changes to the trusted list content, eg the addition of a newly qualified trust service provider or a change in the status of an existing one, by checking the SHA256 digest value of the currently published trusted list against a locally cached version.
The Department for Culture Media and Sport (DCMS), the UK Government department responsible for eIDAS, decided to transfer the responsibility for management and publication of the trusted list to the ICO. The ICO has been the UK trusted list scheme operator and the UK Supervisory Body for eIDAS since 1 October 2022.
From 1 October 2022, the trusted list will no longer be available from the tScheme website and will only be available from the ICO website.
At the end of the Brexit transition period tScheme published a final version of the EU UK trusted list. This will continue to be available on the tScheme website.
The ICO does not publish a PDF version of the list. The machine readable (XML) version of the list has a well-defined structure and contains qualified trust service provider and qualified trust service data that can be presented, searched and navigated in web browsers.
If you need additional information on the trusted list move or the trusted list in general, please contact the ICO at [email protected].