info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Logius PKIoverheid response to Action #2 in the January 2018 CA Communication
181 views
Skip to first unread message
Berge, J. van den (Jochem) - Logius
Mar 16, 2018, 8:56:20 AM3/16/18
to dev-secur...@lists.mozilla.org, Janssen, M.A. (Mark) - Logius
Dear MSDP community,
As requested by Mozilla in the CA Communication survey we've reviewed our implementation of BR 3.2.2.4.1 and 3.2.2.4.5. PKIoverheid only issues OV/EV certificates to subscribers for which the applicant representative has to have had a face-to-face check to confirm the identity of the representative (regardless of which method from 3.2.2.4 is used). The applicant representatives are defined beforehand by the applicant (authority is granted by a managing director, who's authority is checked against the national trade register). The issuing TSPs all use a secured environment in which the subscriber can order certificates. PKIoverheid certificates are mainly issued to Dutch subscribers. The Dutch Chamber of Commerce (de facto the national agency as referred in BR 3.2.2.1) only allows unique organization names, and as mentioned before, the TSP has a complete file of the applicant and it representative(s). In case that there is doubt about the authority of the applicant (whether using method 3.2.2.4.1 or 3.2.2.4.5), another method from 3.2.2.4 is used instead. Therefore, the scenario as described earlier on the web (for instance, the Stripe, Inc. case) is, in our eyes, very unlikely. However, the PKIoverheid TSPs are now moving away from these methods per ballot 218.
Please let me know if you have any questions.
Kind regards,
Jochem van den Berge
Logius PKIoverheid
Public Key Infrastructure for the Dutch government
........................................................................
Logius
Ministry of the Interior and Kingdom Relations (BZK)
Wilhelmina van Pruisenweg 52 | 2595 AN | The Hague
PO Box 96810 | 2509 JE | The Hague
........................................................................
jochem.va...@logius.nl<mailto:Jochem.va...@logius.nl>
http://www.logius.nl
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
As requested by Mozilla in the CA Communication survey we've reviewed our implementation of BR 3.2.2.4.1 and 3.2.2.4.5. PKIoverheid only issues OV/EV certificates to subscribers for which the applicant representative has to have had a face-to-face check to confirm the identity of the representative (regardless of which method from 3.2.2.4 is used). The applicant representatives are defined beforehand by the applicant (authority is granted by a managing director, who's authority is checked against the national trade register). The issuing TSPs all use a secured environment in which the subscriber can order certificates. PKIoverheid certificates are mainly issued to Dutch subscribers. The Dutch Chamber of Commerce (de facto the national agency as referred in BR 3.2.2.1) only allows unique organization names, and as mentioned before, the TSP has a complete file of the applicant and it representative(s). In case that there is doubt about the authority of the applicant (whether using method 3.2.2.4.1 or 3.2.2.4.5), another method from 3.2.2.4 is used instead. Therefore, the scenario as described earlier on the web (for instance, the Stripe, Inc. case) is, in our eyes, very unlikely. However, the PKIoverheid TSPs are now moving away from these methods per ballot 218.
Please let me know if you have any questions.
Kind regards,
Jochem van den Berge
Logius PKIoverheid
Public Key Infrastructure for the Dutch government
........................................................................
Logius
Ministry of the Interior and Kingdom Relations (BZK)
Wilhelmina van Pruisenweg 52 | 2595 AN | The Hague
PO Box 96810 | 2509 JE | The Hague
........................................................................
jochem.va...@logius.nl<mailto:Jochem.va...@logius.nl>
http://www.logius.nl
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
Wayne Thayer
Mar 22, 2018, 8:27:24 PM3/22/18
to Berge, J. van den (Jochem) - Logius, Janssen, M.A. (Mark) - Logius, dev-secur...@lists.mozilla.org
Thank you for the response Jochem. I am glad to hear that Logius has
evaluated the risk and, given the passage of ballot 218, is moving to other
methods of domain validation.
- Wayne
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
evaluated the risk and, given the passage of ballot 218, is moving to other
methods of domain validation.
- Wayne
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
0 new messages