info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Staat der Nederlanden Root Renewal Request
529 views
Skip to first unread message
Kathleen Wilson
Oct 23, 2014, 2:51:40 PM10/23/14
to mozilla-dev-s...@lists.mozilla.org
Staat der Nederlanden has applied to include the “Staat der Nederlanden
Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates;
turn on the Websites and Email trust bits for the “Staat der Nederlanden
Root CA - G3” root; turn on the Websites trust bit for the “Staat der
Nederlanden EV Root CA”; and enable EV treatment for the “Staat der
Nederlanden EV Root CA” root. The “Staat der Nederlanden Root CA - G3”
root will eventually replace the first and second generations of this
root that were included via Bugzilla Bug #243424 and Bug #436056.
Staat der Nederlanden is the Dutch government PKI (a.k.a. PKIoverheid),
designed for trustworthy electronic communication within and with the
Dutch government. Each root has one or more sub CAs known as domain CAs
or intermediate CAs. Each domain or intermediate CA services multiple
Certificate Service Providers (CSPs). The CSPs (commercial and
governmental organisations) issue several types of certificates, such as
authentication, encryption, non-repudiation and SSL, to end-users.
End-users can be companies and governmental organisations. The
PKIoverheid does not issue certificates directly to end-users, the
PKIoverheid only issues certificates to CSPs. The Ministry of the
Interior and Kingdom Relations (represented by Logius) is the owner of
the PKIoverheid. Logius supports the Dutch Minister of the Interior and
Kingdom Relations with the management and control of the PKI system.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1016568
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8504870
Noteworthy points:
* The primary documents are in Dutch and English
Document Repository (Dutch):
https://www.logius.nl/ondersteuning/pkioverheid/aansluiten-als-csp/programma-van-eisen/
Document Repository (English):
https://www.logius.nl/languages/english/pkioverheid/
Staat der Nederlanden Root and Domain CAs (Tier 1 and 2)
CP (English):
Part 3a: Certificate policy Government, Companies and Organizations
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3a_v3.6.pdf
)
Part 3b: Certificate policy Services
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3b_v3.6.pdf
)
Part 3c: Certificate policy Citizen
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3c_v3.6.pdf
)
Part 3d: Certificate policy Autonomous Devices
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3d_v3.6.pdf
)
Part 3e: Certificate policy - Extended Validation
(http://www.logius.nl/fileadmin/logius/product/pkioverheid/documenten/PoR_EN_part3e_v3.6.pdf
)
EV CP:
https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3e_v3.6.pdf
* CA Hierarchy: The PKIoverheid is an established Super-CA that has
demonstrated compliance to the requirements listed here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
** CSPs that want to issue certificates under the PKIoverheid hierarchy
have to be certified against ETSI EN 319 411 and/or ETSI TS 102 042 in
accordance with the TTP.NL scheme. In addition the CSP must demonstrate
that it fulfils the additional PKIoverheid requirements by means of an
unqualified audit opinion.
See section 2.2 of part 2 of the PKIoverheid Programme of Requirements
(PoR_EN_part2_v3.6.pdf).
** The PKIoverheid G3 hierarchy consists of three tiers; Root CA, Domain
Subroot CA and CSP Subroot CA.
Tier 1: Root CA
- Staat der Nederlanden Root CA – G3 This internally operated offline
Root CA is the trust anchor of the third generation root hierarchy of
PKIoverheid. This CA is only used to sign Domain Subroot CA’s and
corresponding status information.
Tier 2: Domain Subroot CAs
- Domain Organisation Person: Staat der Nederlanden Organisatie Persoon
CA – G3 This internally operated offline Domain Subroot CA is used to
sign CSP Subroot CAs in the domain Organisation Person.
Tier 3: Organisation Person CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain
Organisation Person.
- Domain Organisation Services: Staat der Nederlanden Organisatie
Services CA – G3 This internally operated offline Domain Subroot CA is
used to sign CSP Subroot CAs in the domain Organisation Services.
Tier 3: Organisation Person CSP Subroot CA
- CSP KPN Corporate Market: KPN Corporate Market CSP Organisatie
Services CA - G3 This externally operated online CSP Subroot CA is
operated by KPN Corporate Market to issue end entity certificates to
their subscribers.
- Domain Citizen: Staat der Nederlanden Burger CA – G3 This internally
operated offline Domain Subroot CA is used to sign CSP Subroot CAs in
the domain Citizen.
Tier 3: Citizen CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain
Organisation Person.
- Domain Autonomous Devices: Staat der Nederlanden Autonome Apparaten CA
– G3 This internally operated offline Domain Subroot CA is used to sign
CSP Subroot CAs in the domain Autonomous Devices.
Tier 3: Autonomous Devices CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain
Organisation Person.
Please see section 2.4 of part 1 of the PKIoverheid Programme of
Requirements (PoR_EN_part1_v3.6.pdf) for more information on the PKI design.
** The PKIoverheid EV hierarchy consists of three tiers; Root CA,
Intermediate Subroot CA and CSP Subroot CA.
Tier 1: Root CA
- Staat der Nederlanden EV Root CA This internally operated offline Root
CA is the trust anchor of the Extended Validation root hierarchy of
PKIoverheid. This CA is only used to sign the Intermediate Subroot CA
and corresponding status information.
Tier 2: Intermediate Subroot CA
- Staat der Nederlanden EV Intermediair CA This internally operated
offline Intermediate Subroot CA is used to sign CSP Subroot CAs.
Tier 3: CSP Subroot CA
- CSP QuoVadis: QuoVadis CSP - PKI Overheid EV CA This externally
operated online CSP Subroot CA is operated by QuoVadis to issue EV end
entity certificates to their subscribers.
** KPN Corporate Market CSP CA (Tier3)
CPS (Dutch):
https://certificaat.kpn.com/files/CPS/KPN_PKIoverheid_CPS_v4.19.pdf
Relying Party Agreement (English):
https://certificaat.kpn.com/files/voorwaarden/Relying%20Party%20Agreement%20v1.3.1.pdf
** QuoVadis CSP - PKI Overheid EV CA (Tier3)
CPS (Dutch):
https://www.quovadisglobal.com/~/media/Files/Repository/QV_CPS_PKI_Overheid_V1_1_4.ashx
Relying Party Agreement (English):
https://www.quovadisglobal.com/~/media/Files/Repository/QV_RPA_v1%201.ashx
** The other CSPs in the PKIoverheid ecosystem have not yet been issued
with subroots under the G3 or EV hierarchy.
More information on the other CSPs can be found here:
https://bugzilla.mozilla.org/show_bug.cgi?id=551399
* This request is to turn on the Websites and Email trust bits for the
“Staat der Nederlanden Root CA - G3” root; and turn on the Websites
trust bit for the “Staat der Nederlanden EV Root CA”. EV treatment is
requested for the “Staat der Nederlanden EV Root CA” root.
** Depending on the types of certificates they issue CSPs have to follow
one or more of the Certificate Policies stated below
- Part 3a: Certificate policy Government, Companies and Organizations
(PoR_EN_part3a_v3.6.pdf )
- Part 3b: Certificate policy Services (PoR_EN_part3b_v3.6.pdf)
- Part 3c: Certificate policy Citizen (PoR_EN_part3c_v3.6.pdf)
- Part 3d: Certificate policy Autonomous Devices (PoR_EN_part3d_v3.6.pdf)
- Part 3e: Certificate policy - Extended Validation (PoR_EN_part3e_v3.6.pdf)
** Sub-CAs within the PKIoverheid who issue end-entity certificates can
only be created underneath and signed by CSPs within the PKIoverheid
hierarchy. So Sub-CAs can only issue certificates within the same
domains as where the CSPs issue their certificates. Sub-CAs cannot
create their own subordinates. The only reason that a CSP within the
PKIoverheid creates a Sub-CA is to differentiate between the different
usages of certificates. This means that, if applicable, a Sub-CA is
created for certificates meant for personal use (authentication,
encryption and non- repudiation) and a Sub-CA for certificates meant for
services (e.g. SSL).
** Before a CSP can create a Sub-CA they have to have permission from
the Policy Authority (PA) of PKIoverheid, as is stated in our CP part 3a
and 3c (and in the EV CP) in paragraph 9.12.2.2 on page 25 and in part
3b in paragraph 9.12.2.2 on page 27. The PA grants its permission by
assigning a separate OID for the Sub-CA.
** The requirements in the Programme of
Requirements(PoR_EN_part3b_v3.6.pdf) regarding the subject.commonName
(page 56) and subjectAltName.dNSName (page 64) state that
“The subscriber MUST prove that the organization can use this name.
In services server certificates [OID 2.16.528.1.1003.1.2.2.6 and
2.16.528.1.1003.1.2.5.6] the CSP MUST check recognized registers
(Stichting Internet Domeinregistratie Nederland (SIDN) or Internet
Assigned Numbers Authority (IANA)) to find out whether the subscriber is
the domain name owner or whether the subscriber is exclusively
authorized by the registered domain name owner to use the domain name on
behalf of the registered domain name owner.”
** PoR_EN_part3b_v3.6.pdf regarding the subject.commonName (page 56) and
subjectAltName.dNSName (page 64) state that
“The subscriber MUST prove that the organization can use this name.
In services server certificates [OID 2.16.528.1.1003.1.2.2.6 and
2.16.528.1.1003.1.2.5.6] the CSP MUST check recognized registers
(Stichting Internet Domeinregistratie Nederland (SIDN) or Internet
Assigned Numbers Authority (IANA)) to find out whether the subscriber is
the domain name owner or whether the subscriber is exclusively
authorized by the registered domain name owner to use the domain name on
behalf of the registered domain name owner.”
** Section 3.2.3.2.2 of KPN PKIoverheid CPS
(KPN_PKIoverheid_CPS_v4.19.pdf) states that:
Translation:“The Subscriber must prove that the organisation is entitled
to use the primary and additional names that identify the server or
service. The primary and additional names of the server MUST be states
as “fully-qualified domain name” (FQDN, see definitions).”
** Section 4.2.2.3 of KPN PKIoverheid CPS describes the verification of
Domain Name Ownership by the KPN Corporate Market CSP.
Translation: “Among others, checks are made in recognized registers such
as Stichting Internet Domeinregistratie Nederland (SIDN) or Internet
Assigned Numbers Authority (IANA) to validate whether Subscriber owns
the domain name as it appears in the e-mail address. In addition an
assessment is made to determine URL-spoofing or phishing.
http://www.phishtank.com or similar is consulted to see whether the
domain name does not appears on a spam and/or phishing blacklist. If KPN
suspects phishing or other potential abuse those suspicions will be
reported to http://www.phishtank.com. ") ”
** The requirements in the EV CP (PoR_EN_part3e_v3.6.pdf) regarding the
validation of Domain ownership/control are as follows:
Requirement 3.2.5-3
“The CSP has to verify that the subscriber is the registered owner of
the domain name listed in the request (FQDN) or that the subscriber is
exclusively authorized by the registered domain name owner to use the
domain name on behalf of the registered domain name owner.
This verification may not be contracted out by the CSP to Registration
Authorities or other parties.
If the subscriber states that he/she is the registered owner of the
domain name listed in the request, the CSP has to:
- verify that the domain name is registered with a registrar or domain
manager, such as SIDN (The Netherlands Internet Domain Registration
Foundation), affiliated with the Internet Corporation for Assigned Names
and Numbers (ICANN) or an organization that is a member of the Internet
Assigned Numbers Authority (IANA), and;
- use a WHOIS service, of an organization affiliated with or that is a
member of ICANN or IANA, that offers the information via HTTPS or the de
CSP must use a command line programme if a WHOIS service is used that
offers information via HTTP, and;
- in the WHOIS service, verify the name, the residential address and the
administrative contact person of the organization and compare this
information to the verified subscriber information and establish that
there are no inconsistencies between the two sets of information, and;
- The CSP must verify that the domain name does not appear on a spam
list and/or phishing black list. Use, to this end, at least
http://www.phishtank.com. If the domain name is mentioned on phish tank
or a different black list that is consulted, during the verification
process the CSP has to deal particularly carefully with the request for
the relevant services server certificate.
The information that the CSP uses to verify that the subscriber is the
registered owner of the domain name (FQDN) listed in the application may
not be older than 13 months, otherwise the information has to be
requested and verified again.
If the subscriber states that it is exclusively authorized by the
registered domain name owner to use the domain name on behalf of the
registered domain name owner, as well as the checks listed above, the
CSP has to:
- request a declaration from the registered domain name owner (e.g. by
e-mail or telephone) in which the registered domain name owner has to
confirm that the subscriber has the exclusive right to use the domain
name (FQDN), and;
- request and verify a written and signed declaration from a notary or
external accountant which must state for which domain name (FQDN) the
subscriber has been given the exclusive user right on behalf of the
registered domain name owner, and;
- verify that the domain name (FQDN) is not a generic TopLevelDomein
(gTLD) or country code TopLevelDomein (ccTLD). For these domain names,
only the subscriber, as registered domain name owner, is allowed to
submit an application.
A declaration from the registered domain name owner or notary or
external accountant may not be older than 13 months.”
** QuoVadis satisfies these requirements through section 3.2.5.3
(Verification ownership domain name (FQDN)) of their EV CPS
(https://www.quovadisglobal.com/~/media/Files/Repository/QV_CPS_PKI_Overheid_EV_V1_0.ashx
). QuoVadis has chosen to use the wording from the requirements in the
corresponding sections of the QuoVadis EV CPS.
** The email address of the certificate holder may be included in the
certificate. The requirements on the SubjectAltName.rfc822Name attribute
in part 3a of the PoR (PoR_EN_part3a_v3.6.pdf) (page 53) state that:
“If the e-mail address is included in the certificate, the CSP MUST:
- have the subscriber sign his/her approval for these and;
- check that the e-mail address belongs to the subscriber's domain, or;
- check that the e-mail address belongs to the subscriber (e.g. the
professional) and that this person has access to the e-mail
* EV Policy OID: 2.16.528.1.1003.1.2.7
* Root Cert URLs
http://cert.pkioverheid.nl/RootCA-G3.cer
http://cert.pkioverheid.nl/EVRootCA.cer
* Test Websites
https://roottest-g3.pkioverheid.nl
https://pkioevssl-v.quovadisglobal.com/
* CRL
http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieServicesCAG3/LatestCRL.crl
http://crl.pkioverheid.nl/EVRootLatestCRL.crl
http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
http://crl.quovadisglobal.com/pkioevca.crl
* OCSP
http://rootocsp-g3.pkioverheid.nl
http://domorganisatieservicesocsp-g3.pkioverheid.nl
http://ocsp3.managedpki.com
http://evrootocsp.pkioverheid.nl
http://ocsp.pkioverheid.nl
http://ocsp.quovadisglobal.com
* Audit:
Staat der Nederlanden Root and Domain CAs (Tier 1 and 2)
Audit Type: WebTrust CA and WebTrust BR
Auditor: KPMG Advisory N.V., http://www.kpmg.com/nl/nl/Pages/default.aspx
Audit Report: http://cert.webtrust.org/SealFile?seal=1652&file=pdf
(2014.03.20)
With regard to the Extended Validation root a point-in-time audit has
been executed by KPMG.
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8429540
(2013.11.19)
KPN Corporate Market CSP CA (Tier3)
Auditor: BSI, http://www.bsigroup.com/
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8501724
-- ETSI TS 102042 V2.4.1 NCP+, OVCP, PTC-BR (2014.09.30)
QuoVadis CSP (Tier3)
Auditor: BSI Group
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8472145
-- ETSI TS 102042 v2.4.1 NCP+, OVCP, PTC-BR (2014.04.08)
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** Delegation of Domain / Email validation to third parties
Within the PKIoverheid system the CSPs are responsible for the
validation of information they include in the end entity certificates
they issue. If a CSP chooses to delegate the RA function to another
entity, they still need to conform to ETSI EN 319 411 and/or ETSI TS 102
042 and obtain certification to that effect.
** CSPs within PKIoverheid have to adhere to the requirements laid out
in part 2 of the Programme of Requirements (PoR_EN_part2_v3.6.pdf) .
As stipulated in section 2.2 of part 2 of the PoR CSPs must demonstrate
compliance by
- certifying against ETSI EN 319 411-2, in accordance with the TTP.NL
scheme.
- certifying against ETSI TS 102 042, in accordance with the TTP.NL
scheme, when issuing Services certificates – [the CSPs will be audited
against the NCP- combined with OVCP- and PTC-BR requirements as stated
in ETSI TS 102 042.]
- demonstrating the fulfilment of PKIoverheid requirement by means of an
unqualified audit opinion.
- certifying against WebTrust for Certification Authorities – Extended
Validation audit, when issuing EV certificates
- registering with the ACM (Autoriteit Consument en Markt – Authority
for Consumers and Markets).
** Once a CSP can demonstrate compliance it can start the admittance
process by making a formal application. This application is then vetted
by PKIoverheid. See section 2.3 of part 2 of the PoR for more detail.
** In order to join the PKI for the government, a CSP is certified under
the TTP.NL scheme. This scheme is applicable in the Netherlands when
becoming certified under ETSI EN 319 411-2 and/or ETSI TS 102 042.
The CSPs are responsible for their own certification. The certification
audits can be performed by an auditor accredited for the auditing
against the TTP.NL scheme. Currently BSI Group The Netherlands B.V. and
PricewaterhouseCoopers Certification B.V. have obtained accreditation of
the Raad voor Accreditatie (Dutch Accreditation Council) (http://www.rva.nl)
The TTP.NL schema certificate is valid for three years, with the
obligation for the CSPs to undergo a yearly verification audit.
This begins the discussion of the request from Staat der Nederlanden to
include the “Staat der Nederlanden Root CA - G3” and “Staat der
Nederlanden EV Root CA” root certificates; turn on the Websites and
Email trust bits for the “Staat der Nederlanden Root CA - G3” root; turn
on the Websites trust bit for the “Staat der Nederlanden EV Root CA”;
and enable EV treatment for the “Staat der Nederlanden EV Root CA” root.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates;
turn on the Websites and Email trust bits for the “Staat der Nederlanden
Root CA - G3” root; turn on the Websites trust bit for the “Staat der
Nederlanden EV Root CA”; and enable EV treatment for the “Staat der
Nederlanden EV Root CA” root. The “Staat der Nederlanden Root CA - G3”
root will eventually replace the first and second generations of this
root that were included via Bugzilla Bug #243424 and Bug #436056.
Staat der Nederlanden is the Dutch government PKI (a.k.a. PKIoverheid),
designed for trustworthy electronic communication within and with the
Dutch government. Each root has one or more sub CAs known as domain CAs
or intermediate CAs. Each domain or intermediate CA services multiple
Certificate Service Providers (CSPs). The CSPs (commercial and
governmental organisations) issue several types of certificates, such as
authentication, encryption, non-repudiation and SSL, to end-users.
End-users can be companies and governmental organisations. The
PKIoverheid does not issue certificates directly to end-users, the
PKIoverheid only issues certificates to CSPs. The Ministry of the
Interior and Kingdom Relations (represented by Logius) is the owner of
the PKIoverheid. Logius supports the Dutch Minister of the Interior and
Kingdom Relations with the management and control of the PKI system.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1016568
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8504870
Noteworthy points:
* The primary documents are in Dutch and English
Document Repository (Dutch):
https://www.logius.nl/ondersteuning/pkioverheid/aansluiten-als-csp/programma-van-eisen/
Document Repository (English):
https://www.logius.nl/languages/english/pkioverheid/
Staat der Nederlanden Root and Domain CAs (Tier 1 and 2)
CP (English):
Part 3a: Certificate policy Government, Companies and Organizations
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3a_v3.6.pdf
)
Part 3b: Certificate policy Services
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3b_v3.6.pdf
)
Part 3c: Certificate policy Citizen
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3c_v3.6.pdf
)
Part 3d: Certificate policy Autonomous Devices
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3d_v3.6.pdf
)
Part 3e: Certificate policy - Extended Validation
(http://www.logius.nl/fileadmin/logius/product/pkioverheid/documenten/PoR_EN_part3e_v3.6.pdf
)
EV CP:
https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3e_v3.6.pdf
* CA Hierarchy: The PKIoverheid is an established Super-CA that has
demonstrated compliance to the requirements listed here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
** CSPs that want to issue certificates under the PKIoverheid hierarchy
have to be certified against ETSI EN 319 411 and/or ETSI TS 102 042 in
accordance with the TTP.NL scheme. In addition the CSP must demonstrate
that it fulfils the additional PKIoverheid requirements by means of an
unqualified audit opinion.
See section 2.2 of part 2 of the PKIoverheid Programme of Requirements
(PoR_EN_part2_v3.6.pdf).
** The PKIoverheid G3 hierarchy consists of three tiers; Root CA, Domain
Subroot CA and CSP Subroot CA.
Tier 1: Root CA
- Staat der Nederlanden Root CA – G3 This internally operated offline
Root CA is the trust anchor of the third generation root hierarchy of
PKIoverheid. This CA is only used to sign Domain Subroot CA’s and
corresponding status information.
Tier 2: Domain Subroot CAs
- Domain Organisation Person: Staat der Nederlanden Organisatie Persoon
CA – G3 This internally operated offline Domain Subroot CA is used to
sign CSP Subroot CAs in the domain Organisation Person.
Tier 3: Organisation Person CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain
Organisation Person.
- Domain Organisation Services: Staat der Nederlanden Organisatie
Services CA – G3 This internally operated offline Domain Subroot CA is
used to sign CSP Subroot CAs in the domain Organisation Services.
Tier 3: Organisation Person CSP Subroot CA
- CSP KPN Corporate Market: KPN Corporate Market CSP Organisatie
Services CA - G3 This externally operated online CSP Subroot CA is
operated by KPN Corporate Market to issue end entity certificates to
their subscribers.
- Domain Citizen: Staat der Nederlanden Burger CA – G3 This internally
operated offline Domain Subroot CA is used to sign CSP Subroot CAs in
the domain Citizen.
Tier 3: Citizen CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain
Organisation Person.
- Domain Autonomous Devices: Staat der Nederlanden Autonome Apparaten CA
– G3 This internally operated offline Domain Subroot CA is used to sign
CSP Subroot CAs in the domain Autonomous Devices.
Tier 3: Autonomous Devices CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain
Organisation Person.
Please see section 2.4 of part 1 of the PKIoverheid Programme of
Requirements (PoR_EN_part1_v3.6.pdf) for more information on the PKI design.
** The PKIoverheid EV hierarchy consists of three tiers; Root CA,
Intermediate Subroot CA and CSP Subroot CA.
Tier 1: Root CA
- Staat der Nederlanden EV Root CA This internally operated offline Root
CA is the trust anchor of the Extended Validation root hierarchy of
PKIoverheid. This CA is only used to sign the Intermediate Subroot CA
and corresponding status information.
Tier 2: Intermediate Subroot CA
- Staat der Nederlanden EV Intermediair CA This internally operated
offline Intermediate Subroot CA is used to sign CSP Subroot CAs.
Tier 3: CSP Subroot CA
- CSP QuoVadis: QuoVadis CSP - PKI Overheid EV CA This externally
operated online CSP Subroot CA is operated by QuoVadis to issue EV end
entity certificates to their subscribers.
** KPN Corporate Market CSP CA (Tier3)
CPS (Dutch):
https://certificaat.kpn.com/files/CPS/KPN_PKIoverheid_CPS_v4.19.pdf
Relying Party Agreement (English):
https://certificaat.kpn.com/files/voorwaarden/Relying%20Party%20Agreement%20v1.3.1.pdf
** QuoVadis CSP - PKI Overheid EV CA (Tier3)
CPS (Dutch):
https://www.quovadisglobal.com/~/media/Files/Repository/QV_CPS_PKI_Overheid_V1_1_4.ashx
Relying Party Agreement (English):
https://www.quovadisglobal.com/~/media/Files/Repository/QV_RPA_v1%201.ashx
** The other CSPs in the PKIoverheid ecosystem have not yet been issued
with subroots under the G3 or EV hierarchy.
More information on the other CSPs can be found here:
https://bugzilla.mozilla.org/show_bug.cgi?id=551399
* This request is to turn on the Websites and Email trust bits for the
“Staat der Nederlanden Root CA - G3” root; and turn on the Websites
trust bit for the “Staat der Nederlanden EV Root CA”. EV treatment is
requested for the “Staat der Nederlanden EV Root CA” root.
** Depending on the types of certificates they issue CSPs have to follow
one or more of the Certificate Policies stated below
- Part 3a: Certificate policy Government, Companies and Organizations
(PoR_EN_part3a_v3.6.pdf )
- Part 3b: Certificate policy Services (PoR_EN_part3b_v3.6.pdf)
- Part 3c: Certificate policy Citizen (PoR_EN_part3c_v3.6.pdf)
- Part 3d: Certificate policy Autonomous Devices (PoR_EN_part3d_v3.6.pdf)
- Part 3e: Certificate policy - Extended Validation (PoR_EN_part3e_v3.6.pdf)
** Sub-CAs within the PKIoverheid who issue end-entity certificates can
only be created underneath and signed by CSPs within the PKIoverheid
hierarchy. So Sub-CAs can only issue certificates within the same
domains as where the CSPs issue their certificates. Sub-CAs cannot
create their own subordinates. The only reason that a CSP within the
PKIoverheid creates a Sub-CA is to differentiate between the different
usages of certificates. This means that, if applicable, a Sub-CA is
created for certificates meant for personal use (authentication,
encryption and non- repudiation) and a Sub-CA for certificates meant for
services (e.g. SSL).
** Before a CSP can create a Sub-CA they have to have permission from
the Policy Authority (PA) of PKIoverheid, as is stated in our CP part 3a
and 3c (and in the EV CP) in paragraph 9.12.2.2 on page 25 and in part
3b in paragraph 9.12.2.2 on page 27. The PA grants its permission by
assigning a separate OID for the Sub-CA.
** The requirements in the Programme of
Requirements(PoR_EN_part3b_v3.6.pdf) regarding the subject.commonName
(page 56) and subjectAltName.dNSName (page 64) state that
“The subscriber MUST prove that the organization can use this name.
In services server certificates [OID 2.16.528.1.1003.1.2.2.6 and
2.16.528.1.1003.1.2.5.6] the CSP MUST check recognized registers
(Stichting Internet Domeinregistratie Nederland (SIDN) or Internet
Assigned Numbers Authority (IANA)) to find out whether the subscriber is
the domain name owner or whether the subscriber is exclusively
authorized by the registered domain name owner to use the domain name on
behalf of the registered domain name owner.”
** PoR_EN_part3b_v3.6.pdf regarding the subject.commonName (page 56) and
subjectAltName.dNSName (page 64) state that
“The subscriber MUST prove that the organization can use this name.
In services server certificates [OID 2.16.528.1.1003.1.2.2.6 and
2.16.528.1.1003.1.2.5.6] the CSP MUST check recognized registers
(Stichting Internet Domeinregistratie Nederland (SIDN) or Internet
Assigned Numbers Authority (IANA)) to find out whether the subscriber is
the domain name owner or whether the subscriber is exclusively
authorized by the registered domain name owner to use the domain name on
behalf of the registered domain name owner.”
** Section 3.2.3.2.2 of KPN PKIoverheid CPS
(KPN_PKIoverheid_CPS_v4.19.pdf) states that:
Translation:“The Subscriber must prove that the organisation is entitled
to use the primary and additional names that identify the server or
service. The primary and additional names of the server MUST be states
as “fully-qualified domain name” (FQDN, see definitions).”
** Section 4.2.2.3 of KPN PKIoverheid CPS describes the verification of
Domain Name Ownership by the KPN Corporate Market CSP.
Translation: “Among others, checks are made in recognized registers such
as Stichting Internet Domeinregistratie Nederland (SIDN) or Internet
Assigned Numbers Authority (IANA) to validate whether Subscriber owns
the domain name as it appears in the e-mail address. In addition an
assessment is made to determine URL-spoofing or phishing.
http://www.phishtank.com or similar is consulted to see whether the
domain name does not appears on a spam and/or phishing blacklist. If KPN
suspects phishing or other potential abuse those suspicions will be
reported to http://www.phishtank.com. ") ”
** The requirements in the EV CP (PoR_EN_part3e_v3.6.pdf) regarding the
validation of Domain ownership/control are as follows:
Requirement 3.2.5-3
“The CSP has to verify that the subscriber is the registered owner of
the domain name listed in the request (FQDN) or that the subscriber is
exclusively authorized by the registered domain name owner to use the
domain name on behalf of the registered domain name owner.
This verification may not be contracted out by the CSP to Registration
Authorities or other parties.
If the subscriber states that he/she is the registered owner of the
domain name listed in the request, the CSP has to:
- verify that the domain name is registered with a registrar or domain
manager, such as SIDN (The Netherlands Internet Domain Registration
Foundation), affiliated with the Internet Corporation for Assigned Names
and Numbers (ICANN) or an organization that is a member of the Internet
Assigned Numbers Authority (IANA), and;
- use a WHOIS service, of an organization affiliated with or that is a
member of ICANN or IANA, that offers the information via HTTPS or the de
CSP must use a command line programme if a WHOIS service is used that
offers information via HTTP, and;
- in the WHOIS service, verify the name, the residential address and the
administrative contact person of the organization and compare this
information to the verified subscriber information and establish that
there are no inconsistencies between the two sets of information, and;
- The CSP must verify that the domain name does not appear on a spam
list and/or phishing black list. Use, to this end, at least
http://www.phishtank.com. If the domain name is mentioned on phish tank
or a different black list that is consulted, during the verification
process the CSP has to deal particularly carefully with the request for
the relevant services server certificate.
The information that the CSP uses to verify that the subscriber is the
registered owner of the domain name (FQDN) listed in the application may
not be older than 13 months, otherwise the information has to be
requested and verified again.
If the subscriber states that it is exclusively authorized by the
registered domain name owner to use the domain name on behalf of the
registered domain name owner, as well as the checks listed above, the
CSP has to:
- request a declaration from the registered domain name owner (e.g. by
e-mail or telephone) in which the registered domain name owner has to
confirm that the subscriber has the exclusive right to use the domain
name (FQDN), and;
- request and verify a written and signed declaration from a notary or
external accountant which must state for which domain name (FQDN) the
subscriber has been given the exclusive user right on behalf of the
registered domain name owner, and;
- verify that the domain name (FQDN) is not a generic TopLevelDomein
(gTLD) or country code TopLevelDomein (ccTLD). For these domain names,
only the subscriber, as registered domain name owner, is allowed to
submit an application.
A declaration from the registered domain name owner or notary or
external accountant may not be older than 13 months.”
** QuoVadis satisfies these requirements through section 3.2.5.3
(Verification ownership domain name (FQDN)) of their EV CPS
(https://www.quovadisglobal.com/~/media/Files/Repository/QV_CPS_PKI_Overheid_EV_V1_0.ashx
). QuoVadis has chosen to use the wording from the requirements in the
corresponding sections of the QuoVadis EV CPS.
** The email address of the certificate holder may be included in the
certificate. The requirements on the SubjectAltName.rfc822Name attribute
in part 3a of the PoR (PoR_EN_part3a_v3.6.pdf) (page 53) state that:
“If the e-mail address is included in the certificate, the CSP MUST:
- have the subscriber sign his/her approval for these and;
- check that the e-mail address belongs to the subscriber's domain, or;
- check that the e-mail address belongs to the subscriber (e.g. the
professional) and that this person has access to the e-mail
* EV Policy OID: 2.16.528.1.1003.1.2.7
* Root Cert URLs
http://cert.pkioverheid.nl/RootCA-G3.cer
http://cert.pkioverheid.nl/EVRootCA.cer
* Test Websites
https://roottest-g3.pkioverheid.nl
https://pkioevssl-v.quovadisglobal.com/
* CRL
http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieServicesCAG3/LatestCRL.crl
http://crl.pkioverheid.nl/EVRootLatestCRL.crl
http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
http://crl.quovadisglobal.com/pkioevca.crl
* OCSP
http://rootocsp-g3.pkioverheid.nl
http://domorganisatieservicesocsp-g3.pkioverheid.nl
http://ocsp3.managedpki.com
http://evrootocsp.pkioverheid.nl
http://ocsp.pkioverheid.nl
http://ocsp.quovadisglobal.com
* Audit:
Staat der Nederlanden Root and Domain CAs (Tier 1 and 2)
Audit Type: WebTrust CA and WebTrust BR
Auditor: KPMG Advisory N.V., http://www.kpmg.com/nl/nl/Pages/default.aspx
Audit Report: http://cert.webtrust.org/SealFile?seal=1652&file=pdf
(2014.03.20)
With regard to the Extended Validation root a point-in-time audit has
been executed by KPMG.
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8429540
(2013.11.19)
KPN Corporate Market CSP CA (Tier3)
Auditor: BSI, http://www.bsigroup.com/
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8501724
-- ETSI TS 102042 V2.4.1 NCP+, OVCP, PTC-BR (2014.09.30)
QuoVadis CSP (Tier3)
Auditor: BSI Group
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8472145
-- ETSI TS 102042 v2.4.1 NCP+, OVCP, PTC-BR (2014.04.08)
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** Delegation of Domain / Email validation to third parties
Within the PKIoverheid system the CSPs are responsible for the
validation of information they include in the end entity certificates
they issue. If a CSP chooses to delegate the RA function to another
entity, they still need to conform to ETSI EN 319 411 and/or ETSI TS 102
042 and obtain certification to that effect.
** CSPs within PKIoverheid have to adhere to the requirements laid out
in part 2 of the Programme of Requirements (PoR_EN_part2_v3.6.pdf) .
As stipulated in section 2.2 of part 2 of the PoR CSPs must demonstrate
compliance by
- certifying against ETSI EN 319 411-2, in accordance with the TTP.NL
scheme.
- certifying against ETSI TS 102 042, in accordance with the TTP.NL
scheme, when issuing Services certificates – [the CSPs will be audited
against the NCP- combined with OVCP- and PTC-BR requirements as stated
in ETSI TS 102 042.]
- demonstrating the fulfilment of PKIoverheid requirement by means of an
unqualified audit opinion.
- certifying against WebTrust for Certification Authorities – Extended
Validation audit, when issuing EV certificates
- registering with the ACM (Autoriteit Consument en Markt – Authority
for Consumers and Markets).
** Once a CSP can demonstrate compliance it can start the admittance
process by making a formal application. This application is then vetted
by PKIoverheid. See section 2.3 of part 2 of the PoR for more detail.
** In order to join the PKI for the government, a CSP is certified under
the TTP.NL scheme. This scheme is applicable in the Netherlands when
becoming certified under ETSI EN 319 411-2 and/or ETSI TS 102 042.
The CSPs are responsible for their own certification. The certification
audits can be performed by an auditor accredited for the auditing
against the TTP.NL scheme. Currently BSI Group The Netherlands B.V. and
PricewaterhouseCoopers Certification B.V. have obtained accreditation of
the Raad voor Accreditatie (Dutch Accreditation Council) (http://www.rva.nl)
The TTP.NL schema certificate is valid for three years, with the
obligation for the CSPs to undergo a yearly verification audit.
This begins the discussion of the request from Staat der Nederlanden to
include the “Staat der Nederlanden Root CA - G3” and “Staat der
Nederlanden EV Root CA” root certificates; turn on the Websites and
Email trust bits for the “Staat der Nederlanden Root CA - G3” root; turn
on the Websites trust bit for the “Staat der Nederlanden EV Root CA”;
and enable EV treatment for the “Staat der Nederlanden EV Root CA” root.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
Erwann Abalea
Oct 29, 2014, 6:18:40 PM10/29/14
to mozilla-dev-s...@lists.mozilla.org
Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit :
> Staat der Nederlanden has applied to include the "Staat der Nederlanden
> Root CA - G3" and "Staat der Nederlanden EV Root CA" root certificates;
> turn on the Websites and Email trust bits for the "Staat der Nederlanden
> Root CA - G3" root; turn on the Websites trust bit for the "Staat der
> Nederlanden EV Root CA"; and enable EV treatment for the "Staat der
> Nederlanden EV Root CA" root. The "Staat der Nederlanden Root CA - G3"
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
[...]
> Staat der Nederlanden has applied to include the "Staat der Nederlanden
> Root CA - G3" and "Staat der Nederlanden EV Root CA" root certificates;
> turn on the Websites and Email trust bits for the "Staat der Nederlanden
> Root CA - G3" root; turn on the Websites trust bit for the "Staat der
> Nederlanden EV Root CA"; and enable EV treatment for the "Staat der
> Nederlanden EV Root CA" root. The "Staat der Nederlanden Root CA - G3"
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
> * EV Policy OID: 2.16.528.1.1003.1.2.7
>
> * Root Cert URLs
> http://cert.pkioverheid.nl/RootCA-G3.cer
> http://cert.pkioverheid.nl/EVRootCA.cer
>
> * Test Websites
> https://roottest-g3.pkioverheid.nl
> https://pkioevssl-v.quovadisglobal.com/
This subscriber certificate has also a UPN entry in the SAN.
> * CRL
> http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
> http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieServicesCAG3/LatestCRL.crl
>
> http://crl.pkioverheid.nl/EVRootLatestCRL.crl
> http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
> http://crl.quovadisglobal.com/pkioevca.crl
>
> * OCSP
> http://rootocsp-g3.pkioverheid.nl
> http://domorganisatieservicesocsp-g3.pkioverheid.nl
> http://ocsp3.managedpki.com
> http://evrootocsp.pkioverheid.nl
> http://ocsp.pkioverheid.nl
> http://ocsp.quovadisglobal.com
- the ones hosted at *.pkioverheid.nl return a response bigger than necessary (the whole certificate chain including the root)
- the one at ocsp.quovadisglobal.com returns wrongly formatted "Expires" and "Last-Modified" HTTP headers (see RFC2616 3.3.1)
Skirving, D. (Douglas) - Logius
Oct 30, 2014, 3:46:29 PM10/30/14
to mozilla-dev-s...@lists.mozilla.org
Hi Erwann,
Thanks for your review. You raise some valid points.
It is clear that the SAN should only contain a dNSName or iPAddress. We will alter the test certificates accordingly ASAP.
The OCSP concerns are under investigation. We will share the results as they become available.
Thanks.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Van: dev-security-policy [mailto:dev-security-policy-bounces+douglas.skirving=logi...@lists.mozilla.org] Namens Erwann Abalea
Verzonden: woensdag 29 oktober 2014 23:19
Aan: mozilla-dev-s...@lists.mozilla.org
Onderwerp: Re: Staat der Nederlanden Root Renewal Request
Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit :
> * EV Policy OID: 2.16.528.1.1003.1.2.7
>
> * Root Cert URLs
> http://cert.pkioverheid.nl/RootCA-G3.cer
> http://cert.pkioverheid.nl/EVRootCA.cer
>
> * Test Websites
> https://roottest-g3.pkioverheid.nl
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. .
Thanks for your review. You raise some valid points.
It is clear that the SAN should only contain a dNSName or iPAddress. We will alter the test certificates accordingly ASAP.
The OCSP concerns are under investigation. We will share the results as they become available.
Thanks.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Van: dev-security-policy [mailto:dev-security-policy-bounces+douglas.skirving=logi...@lists.mozilla.org] Namens Erwann Abalea
Verzonden: woensdag 29 oktober 2014 23:19
Aan: mozilla-dev-s...@lists.mozilla.org
Onderwerp: Re: Staat der Nederlanden Root Renewal Request
Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit :
> Staat der Nederlanden has applied to include the "Staat der
> Nederlanden Root CA - G3" and "Staat der Nederlanden EV Root CA" root
> certificates; turn on the Websites and Email trust bits for the "Staat
> der Nederlanden Root CA - G3" root; turn on the Websites trust bit for
> the "Staat der Nederlanden EV Root CA"; and enable EV treatment for
> the "Staat der Nederlanden EV Root CA" root. The "Staat der Nederlanden Root CA - G3"
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
[...]
> Nederlanden Root CA - G3" and "Staat der Nederlanden EV Root CA" root
> certificates; turn on the Websites and Email trust bits for the "Staat
> der Nederlanden Root CA - G3" root; turn on the Websites trust bit for
> the "Staat der Nederlanden EV Root CA"; and enable EV treatment for
> the "Staat der Nederlanden EV Root CA" root. The "Staat der Nederlanden Root CA - G3"
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
> * EV Policy OID: 2.16.528.1.1003.1.2.7
>
> * Root Cert URLs
> http://cert.pkioverheid.nl/RootCA-G3.cer
> http://cert.pkioverheid.nl/EVRootCA.cer
>
> * Test Websites
> https://roottest-g3.pkioverheid.nl
The subscriber certificate has a UPN entry type in the SAN extension. This is not accepted under BR (see 9.2.1, "[...] Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. [...]").
> https://pkioevssl-v.quovadisglobal.com/
This subscriber certificate has also a UPN entry in the SAN.
> https://pkioevssl-v.quovadisglobal.com/
This subscriber certificate has also a UPN entry in the SAN.
> * CRL
> http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
> http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieServicesCAG3/LatestCRL.crl
>
> http://crl.pkioverheid.nl/EVRootLatestCRL.crl
> http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
> http://crl.quovadisglobal.com/pkioevca.crl
>
> * OCSP
> http://rootocsp-g3.pkioverheid.nl
> http://domorganisatieservicesocsp-g3.pkioverheid.nl
> http://ocsp3.managedpki.com
> http://evrootocsp.pkioverheid.nl
> http://ocsp.pkioverheid.nl
> http://ocsp.quovadisglobal.com
> http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
> http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieServicesCAG3/LatestCRL.crl
>
> http://crl.pkioverheid.nl/EVRootLatestCRL.crl
> http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
> http://crl.quovadisglobal.com/pkioevca.crl
>
> * OCSP
> http://rootocsp-g3.pkioverheid.nl
> http://domorganisatieservicesocsp-g3.pkioverheid.nl
> http://ocsp3.managedpki.com
> http://evrootocsp.pkioverheid.nl
> http://ocsp.pkioverheid.nl
> http://ocsp.quovadisglobal.com
OCSP services are OK, but:
- the ones hosted at *.pkioverheid.nl return a response bigger than necessary (the whole certificate chain including the root)
- the one at ocsp.quovadisglobal.com returns wrongly formatted "Expires" and "Last-Modified" HTTP headers (see RFC2616 3.3.1)
_______________________________________________
- the ones hosted at *.pkioverheid.nl return a response bigger than necessary (the whole certificate chain including the root)
- the one at ocsp.quovadisglobal.com returns wrongly formatted "Expires" and "Last-Modified" HTTP headers (see RFC2616 3.3.1)
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. .
Skirving, D. (Douglas) - Logius
Nov 10, 2014, 11:19:54 AM11/10/14
to mozilla-dev-s...@lists.mozilla.org
Hereby we would like to inform you that the test certificates relating to the Staat der Nederlanden Root Renewal Request have been revoked and reissued with the appropriate SAN extension.
The certificates are available at
https://roottest-g3.pkioverheid.nl
and
https://pkioevssl-v.quovadisglobal.com
The OCSP responder at ocsp.quovadisglobal.com now returns HTTP headers in the correct format.
We trust this addresses the concerns raised and removes any blocking issues.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Van: dev-security-policy [mailto:dev-security-policy-bounces+douglas.skirving=logi...@lists.mozilla.org] Namens Skirving, D. (Douglas) - Logius
Verzonden: donderdag 30 oktober 2014 20:45
Aan: mozilla-dev-s...@lists.mozilla.org
Onderwerp: RE: Staat der Nederlanden Root Renewal Request
Hi Erwann,
Thanks for your review. You raise some valid points.
It is clear that the SAN should only contain a dNSName or iPAddress. We will alter the test certificates accordingly ASAP.
The OCSP concerns are under investigation. We will share the results as they become available.
Thanks.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Van: dev-security-policy [mailto:dev-security-policy-bounces+douglas.skirving=logi...@lists.mozilla.org] Namens Erwann Abalea
Verzonden: woensdag 29 oktober 2014 23:19
Aan: mozilla-dev-s...@lists.mozilla.org
Onderwerp: Re: Staat der Nederlanden Root Renewal Request
Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit :
> * EV Policy OID: 2.16.528.1.1003.1.2.7
>
> * Root Cert URLs
> http://cert.pkioverheid.nl/RootCA-G3.cer
> http://cert.pkioverheid.nl/EVRootCA.cer
>
> * Test Websites
> https://roottest-g3.pkioverheid.nl
The certificates are available at
https://roottest-g3.pkioverheid.nl
and
https://pkioevssl-v.quovadisglobal.com
The OCSP responder at ocsp.quovadisglobal.com now returns HTTP headers in the correct format.
We trust this addresses the concerns raised and removes any blocking issues.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Verzonden: donderdag 30 oktober 2014 20:45
Aan: mozilla-dev-s...@lists.mozilla.org
Onderwerp: RE: Staat der Nederlanden Root Renewal Request
Hi Erwann,
Thanks for your review. You raise some valid points.
It is clear that the SAN should only contain a dNSName or iPAddress. We will alter the test certificates accordingly ASAP.
The OCSP concerns are under investigation. We will share the results as they become available.
Thanks.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Van: dev-security-policy [mailto:dev-security-policy-bounces+douglas.skirving=logi...@lists.mozilla.org] Namens Erwann Abalea
Verzonden: woensdag 29 oktober 2014 23:19
Aan: mozilla-dev-s...@lists.mozilla.org
Onderwerp: Re: Staat der Nederlanden Root Renewal Request
Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit :
> Staat der Nederlanden has applied to include the "Staat der
> Nederlanden Root CA - G3" and "Staat der Nederlanden EV Root CA" root
> certificates; turn on the Websites and Email trust bits for the "Staat
> der Nederlanden Root CA - G3" root; turn on the Websites trust bit for
> the "Staat der Nederlanden EV Root CA"; and enable EV treatment for
> the "Staat der Nederlanden EV Root CA" root. The "Staat der Nederlanden Root CA - G3"
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
[...]
> Nederlanden Root CA - G3" and "Staat der Nederlanden EV Root CA" root
> certificates; turn on the Websites and Email trust bits for the "Staat
> der Nederlanden Root CA - G3" root; turn on the Websites trust bit for
> the "Staat der Nederlanden EV Root CA"; and enable EV treatment for
> the "Staat der Nederlanden EV Root CA" root. The "Staat der Nederlanden Root CA - G3"
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
> * EV Policy OID: 2.16.528.1.1003.1.2.7
>
> * Root Cert URLs
> http://cert.pkioverheid.nl/RootCA-G3.cer
> http://cert.pkioverheid.nl/EVRootCA.cer
>
> * Test Websites
> https://roottest-g3.pkioverheid.nl
The subscriber certificate has a UPN entry type in the SAN extension. This is not accepted under BR (see 9.2.1, "[...] Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. [...]").
> https://pkioevssl-v.quovadisglobal.com/
This subscriber certificate has also a UPN entry in the SAN.
> https://pkioevssl-v.quovadisglobal.com/
This subscriber certificate has also a UPN entry in the SAN.
> * CRL
> http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
> http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieService
> sCAG3/LatestCRL.crl
>
> http://crl.pkioverheid.nl/EVRootLatestCRL.crl
> http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
> http://crl.quovadisglobal.com/pkioevca.crl
>
> * OCSP
> http://rootocsp-g3.pkioverheid.nl
> http://domorganisatieservicesocsp-g3.pkioverheid.nl
> http://ocsp3.managedpki.com
> http://evrootocsp.pkioverheid.nl
> http://ocsp.pkioverheid.nl
> http://ocsp.quovadisglobal.com
> http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
> http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieService
> sCAG3/LatestCRL.crl
>
> http://crl.pkioverheid.nl/EVRootLatestCRL.crl
> http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
> http://crl.quovadisglobal.com/pkioevca.crl
>
> * OCSP
> http://rootocsp-g3.pkioverheid.nl
> http://domorganisatieservicesocsp-g3.pkioverheid.nl
> http://ocsp3.managedpki.com
> http://evrootocsp.pkioverheid.nl
> http://ocsp.pkioverheid.nl
> http://ocsp.quovadisglobal.com
Kathleen Wilson
Nov 13, 2014, 4:53:28 PM11/13/14
to mozilla-dev-s...@lists.mozilla.org
On 11/10/14, 8:18 AM, Skirving, D. (Douglas) - Logius wrote:
> Hereby we would like to inform you that the test certificates relating to the Staat der Nederlanden Root Renewal Request have been revoked and reissued with the appropriate SAN extension.
>
> The certificates are available at
> https://roottest-g3.pkioverheid.nl
> and
> https://pkioevssl-v.quovadisglobal.com
>
> The OCSP responder at ocsp.quovadisglobal.com now returns HTTP headers in the correct format.
>
> We trust this addresses the concerns raised and removes any blocking issues.
>
> Kind regards,
>
> Douglas Skirving
> Chain Administrator PKIoverheid
> ........................................................................
Douglas,
> Hereby we would like to inform you that the test certificates relating to the Staat der Nederlanden Root Renewal Request have been revoked and reissued with the appropriate SAN extension.
>
> The certificates are available at
> https://roottest-g3.pkioverheid.nl
> and
> https://pkioevssl-v.quovadisglobal.com
>
> The OCSP responder at ocsp.quovadisglobal.com now returns HTTP headers in the correct format.
>
> We trust this addresses the concerns raised and removes any blocking issues.
>
> Kind regards,
>
> Douglas Skirving
> Chain Administrator PKIoverheid
> ........................................................................
Was the problem only with the test certificates?
Did you check to make sure the problem isn't happening for other
certificates?
Kathleen
Skirving, D. (Douglas) - Logius
Nov 14, 2014, 5:31:58 AM11/14/14
to mozilla-dev-s...@lists.mozilla.org
Hi Kathleen,
The problem was indeed only with the test certificates, as no other certificates have issued from the roots in question. The certificate profiles in use have been modified to avoid this occurring in future.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Van: dev-security-policy [mailto:dev-security-policy-bounces+douglas.skirving=logi...@lists.mozilla.org] Namens Kathleen Wilson
Verzonden: donderdag 13 november 2014 22:52
The problem was indeed only with the test certificates, as no other certificates have issued from the roots in question. The certificate profiles in use have been modified to avoid this occurring in future.
Kind regards,
Douglas Skirving
Chain Administrator PKIoverheid
........................................................................
-----Oorspronkelijk bericht-----
Verzonden: donderdag 13 november 2014 22:52
On 11/10/14, 8:18 AM, Skirving, D. (Douglas) - Logius wrote:
> Hereby we would like to inform you that the test certificates relating to the Staat der Nederlanden Root Renewal Request have been revoked and reissued with the appropriate SAN extension.
>
> The certificates are available at
> https://roottest-g3.pkioverheid.nl
> and
> https://pkioevssl-v.quovadisglobal.com
>
> The OCSP responder at ocsp.quovadisglobal.com now returns HTTP headers in the correct format.
>
> We trust this addresses the concerns raised and removes any blocking issues.
>
> Kind regards,
>
> Douglas Skirving
> Chain Administrator PKIoverheid
> ........................................................................
> Hereby we would like to inform you that the test certificates relating to the Staat der Nederlanden Root Renewal Request have been revoked and reissued with the appropriate SAN extension.
>
> The certificates are available at
> https://roottest-g3.pkioverheid.nl
> and
> https://pkioevssl-v.quovadisglobal.com
>
> The OCSP responder at ocsp.quovadisglobal.com now returns HTTP headers in the correct format.
>
> We trust this addresses the concerns raised and removes any blocking issues.
>
> Kind regards,
>
> Douglas Skirving
> Chain Administrator PKIoverheid
> ........................................................................
Douglas,
Was the problem only with the test certificates?
Did you check to make sure the problem isn't happening for other certificates?
Kathleen
Was the problem only with the test certificates?
Did you check to make sure the problem isn't happening for other certificates?
Kathleen
Kathleen Wilson
Nov 17, 2014, 6:18:12 PM11/17/14
to mozilla-dev-s...@lists.mozilla.org
On 10/23/14, 11:50 AM, Kathleen Wilson wrote:
> Staat der Nederlanden has applied to include the “Staat der Nederlanden
> Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates;
> turn on the Websites and Email trust bits for the “Staat der Nederlanden
> Root CA - G3” root; turn on the Websites trust bit for the “Staat der
> Nederlanden EV Root CA”; and enable EV treatment for the “Staat der
> Nederlanden EV Root CA” root. The “Staat der Nederlanden Root CA - G3”
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
>
Thanks, Erwann, for reviewing and commenting on this request. I believe
> Staat der Nederlanden has applied to include the “Staat der Nederlanden
> Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates;
> turn on the Websites and Email trust bits for the “Staat der Nederlanden
> Root CA - G3” root; turn on the Websites trust bit for the “Staat der
> Nederlanden EV Root CA”; and enable EV treatment for the “Staat der
> Nederlanden EV Root CA” root. The “Staat der Nederlanden Root CA - G3”
> root will eventually replace the first and second generations of this
> root that were included via Bugzilla Bug #243424 and Bug #436056.
>
that Douglas resolved the questions/concerns that you raised. Please
reply if not.
All, Does anyone else have any comments or questions about this request?
If not, I will recommend approval in the bug.
Thanks,
Kathleen
Kathleen Wilson
Dec 1, 2014, 2:30:23 PM12/1/14
to mozilla-dev-s...@lists.mozilla.org
discussion about the request from Staat der Nederlanden to include the
“Staat der Nederlanden Root CA - G3” and “Staat der Nederlanden EV Root
CA” root certificates; turn on the Websites and Email trust bits for the
“Staat der Nederlanden Root CA - G3” root; turn on the Websites trust
bit for the “Staat der Nederlanden EV Root CA”; and enable EV treatment
for the “Staat der Nederlanden EV Root CA” root.
The questions and concerns that were raised during this discussion have
CA” root certificates; turn on the Websites and Email trust bits for the
“Staat der Nederlanden Root CA - G3” root; turn on the Websites trust
bit for the “Staat der Nederlanden EV Root CA”; and enable EV treatment
for the “Staat der Nederlanden EV Root CA” root.
been addressed, and there are no resulting action items.
I am closing this discussion, and I will recommend approval in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=1016568
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
0 new messages