UAE Trusted List (TL)is the anchor of the Trust Services regulatory Framework in UAE, it acts as the authoritative source for licensed service providers and the services they provide. The UAE Trusted List is the trusted source for verifying licensed Qualified and non-qualified TSPs and Trust services they provide in the country.
The UAE Trusted List is an essential element in building trust among the different stakeholders by allowing them to obtain information about:
- The trust service providers, the trust services they provide and the full history of their respective license status; and
- The qualified trust service providers, the qualified trust services they provide and the full history of their respective license and qualified status
This information is provided by TDRA acting as supervisory body and UAE trusted list operator in accordance with the Cabinet Resolution on the Executive Regulations of Federal Law by Decree No. (46) of 2021 on Electronic Transactions and Trust Services and with the Resolution No (28) for 2023 on the UAE Trusted List Resolution.
General Requirements
The Trusted List includes both current and all historical information, dating from the inclusion of a trust service provider in the Trusted List, about the status of listed trust services.
The information provided in the trusted list is primarily aimed at supporting the validation of licensed trust services (qualified or non-qualified ones), i.e. physical or binary (logical) objects generated or issued as a result of the use of a trust service, e.g. namely (qualified) electronic signatures/seals, advanced electronic signatures/seals supported by a (qualified) certificate, qualified time-stamps, etc.
Trusting the content of UAE trusted list
Prior to any interpretation of the UAE trusted list, relying parties should:
- retrieve the trusted list from a secure location (hereafter ‘TL-location’); and
- verify the authenticity and integrity of the trusted list. Especially, relying parties should verify the authenticity and integrity of the trusted list by verifying that it has been signed/sealed by one of the authorized certificates (hereafter the ‘TL-signing certificates’) (note: more precisely, signed/sealed by the corresponding private key).
Initially, the TL-location and TL-signing certificates are specified in the Official Gazette.
Later, following the decision of TDRA to modify the TL-location or the set of TL-signing certificates, TDRA might, as a machine-processable approach, publish these modifications in the UAE trusted list itself.
Such an instance of the trusted list is hereafter referred to as a ‘pivot TL’, as it represents a pivot point in the historical values of the TL-location and the TL-signing certificates. These pivot TLs form a chain of changes (changes of TL-location or TL-signing certificates) starting from the initial situation published in the Official Gazette up to the current one. These pivot TLs are archived for later reference.
To conclude on the current list of TL-signing certificates in order to validate the signature of the TL as explained above, one shall reconstruct that chain of pivot TLs. The following paragraphs explain how to reconstruct that chain.
From a technical perspective, the TL-location, TL-signing certificates, and the location of archived pivot TLs are included in the UAE trusted list such as:
- the <OtherTSLPointer> with AE <SchemeTerritory> contain the TL-location together with the PEM representation of the TL-signing certificates;
- the <SchemeInformationURI>, in reverse chronological order – that is, showing the most recent publication first – contains the list of:
- zero or more URLs where the archived preceding pivot TLs are published, back until and followed by
- the URL of the latest publication relevant to UAE trusted list in the Official Gazette.
In this respect, once the decision of TDRA to modify the TL-location or TL-signing certificates is reflected in a publication of a pivot TL, relying parties may detect these modifications in a machine processable way in the UAE trusted list, namely from changes of:
- the <OtherTSLPointer> with AE <SchemeTerritory>;
- the <SchemeInformationURI>.
When verifying the authenticity and integrity of the UAE trusted list, relying parties should, starting from the TL-location specified in the latest publication relevant to UAE trusted list in the Official Gazette, reconstruct the chain of pivot TLs to conclude on the current set of TL-signing certificates:
- Based on the content of the UAE TL published at the TL-location, retrieve the
location(s) of all pivot TLs present in <SchemeInformationURI>;
- If no pivot TL is present, the current set of TL-signing certificates is the initial list in
the above-mentioned publication of the Official Gazette
- If pivot TLs are present: In the chronological order, for each pivot TL published at
pivot TL location(s), verify the authenticity and integrity of the list; using:
- for the first pivot TL, the set of initial TL-signing certificates specified in the above-mentioned publication of the Official Gazette; or
- for following pivot TLs, using the set of certificates specified in <OtherTSLPointer> with AE <SchemeTerritory> of the previous pivot TL in that ordered list;
- The final result is the current set of TL-signing certificates.
Transition period regarding the changes of TL-signing certificates or TL-location
After the publication of the pivot TL announcing changes in TL-signing certificates or TL-location, relying parties have 15 days (the duration of the transition period) to take these changes into account.
It is highly recommended to take these changes into account during the transition period rather than after it:
- During the transition period, this will have no impact on the ability to verify the authenticity and integrity of the UAE trusted list, as TDRA will take the relevant measures (e.g. not using the newly-announced [TL-signing] certificates during the transition period, or publishing the TL at both locations during the transition period)
- After the transition period, this may have an impact on the ability to verify the authenticity and integrity of the UAE trusted list, as TDRA may decide to:
- Sign/seal the UAE trusted list with one of the newly-announced TL-signing certificates.
- Remove the UAE trusted list from the previous TL-location.
Read more about The technical specifications and formats relating to the United Arab Emirates trusted list.
