Closed Bug 1015862 Opened 10 years ago Closed 10 years ago

Staat der Nederlanden Root CA - G3 Inclusion Request

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1016568

People

(Reporter: douglas.skirving, Assigned: kwilson)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140506152807
The Staat der Nederlanden (represented by Logius) would hereby like to request inclusion of the "Staat der Nederlanden Root CA - G3" in the Default Certificate store.

SUMMARY
The Staat der Nederlanden Root CA – G3 is the third generation Root CA of the Dutch governmental PKI (PKIoverheid). This Public Key Infrastructure was designed for trustworthy electronic communication within and with the Dutch government. The first and second generation Root CAs are included in the Mozilla Root Programme.

The G3 Root CA acts as the successor of the presently included G2 Root CA. The Root CAs in the PKIoverheid have a validity of 15 years, and are replaced according to a fixed timetable. During the first 6 years of its validity the Root CA is used to issue sub-CAs. After 6 years a new generation Root CA is created leaving the previous generation to be used for validation purposes. 

The G3 Root CA is used to issue subCA certificates to CSPs in the PKIoverheid system. These CSPs in turn issue end entity certificates. 

ROOT CERTIFICATE DETAILS
Certificate Name:  Staat der Nederlanden Root CA – G3
Certificate Signature Algorithm:  sha256RSA
SHA1 Fingerprint: d8 eb 6b 41 51 92 59 e0 f3 e7 85 00 c0 3d b6 88 97 c9 ee fc
Valid From:  2013-11-14
Valid To:  2028-11-14
http://cert.pkioverheid.nl/RootCA-G3.cer

HIERARCHY INFORMATION
The PKIoverheid G3 hierarchy consists of three tiers; Root CA, Domain Subroot CA and CSP Subroot CA. This hierarchy is described in further detail below:

Tier 1: Root CA
Staat der Nederlanden Root CA – G3
This internally operated offline Root CA is the trust anchor of the third generation root hierarchy of PKIoverheid. This CA is only used to sign Domain Subroot CA’s and corresponding status information.

Tier 2: Domain Subroot CAs
- Domain Organisation Person: Staat der Nederlanden Organisatie Persoon CA – G3
This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Organisation Person.

- Domain Organisation Services: Staat der Nederlanden Organisatie Services CA – G3
This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Organisation Services.

- Domain Citizen: Staat der Nederlanden Burger CA – G3
This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Citizen.

- Domain Autonomous Devices: Staat der Nederlanden Autonome Apparaten CA – G3
This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Autonomous Devices.

Tier 3: CSP Subroot CAs
- Organisation Person CSP Subroot CA 
At present no CSP Subroot CA has been issued in the domain Organisation Person.

Organisation Person CSP Subroot CA 
- CSP KPN Corporate Market: KPN Corporate Market CSP Organisatie Services CA - G3
This externally operated online CSP Subroot CA is operated by KPN Corporate Market to issue end entity certificates to their subscribers.

Citizen CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain Organisation Person.

Autonomous Devices CSP Subroot CA
- At present no CSP Subroot CA has been issued in the domain Organisation Person.

POLICY INFORMATION
The operation of PKIoverheid is governed by the Programme of Requirements. This collection of documents contains all requirements CSPs operating under PKIoverheid must adhere to. The English translation of this Programme of Requirements is available through http://www.logius.nl/english/products/access/pkioverheid/. The PoR consists of four parts:
-	Part 1: Introduction
-	Part 2: CSP Requirements
-	Part 3: Certificate Policies
-	Part 4: Definitions and abbreviations

AUDIT INFORMATION
The Staat der Nederlanden Root and Domain CAs (Tier 1 and 2) have been audited against "Trust Service Principles and Criteria for Certification Authorities" and "WebTrust®for Certification Authorities – SSL Baseline Requirements Audit Criteria, Version 1.1 – January 2013" by KPMG Advisory (http://www.kpmg.com/nl/nl/Pages/default.aspx)
The Audit Report and Management’s Assertions can be found here: http://cert.webtrust.org/SealFile?seal=1652&file=pdf 

The KPN Corporate Market CSP CA (Tier3) has been audited against the "Scheme for the certification of Certification Authorities against ETSI TS 101 456" by BSI (http://www.bsigroup.com/)
The Certificate of Registration can be found here: https://certificaat.kpn.com/files/ETSI/Getronics%20-%20ETSI%20certificate%20by%20BSI.pdf

DETAILS
Further details, including an analysis of the Recommended and Problematic Practices can be found in the "20140526StaatDerNederlandenRootCA-G3InclusionRequest" document attached to this bug report.
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
I'm going to combine this request with #1016568.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: