Closed Bug 1016568 Opened 6 years ago Closed 4 years ago

Staat der Nederlanden G3 and EV Root CA Inclusion Request

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: douglas.skirving, Assigned: kwilson)

References

Details

(Whiteboard: In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40)

Attachments

(8 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140506152807

Steps to reproduce:

The Staat der Nederlanden (represented by Logius) would hereby like to request inclusion of the "Staat der Nederlanden EV Root CA" in the Default Certificate store.

SUMMARY
The Staat der Nederlanden EV Root CA is the Extended Validation Root CA of the Dutch governmental PKI (PKIoverheid). This Public Key Infrastructure was designed for trustworthy electronic communication within and with the Dutch government. A number of Staat der Nederlanden Root CAs are already included in the Mozilla Root Programme.

The EV Root CA is used to issue subCA certificates to CSPs in the PKIoverheid system. These CSPs in turn issue end entity certificates. 

ROOT CERTIFICATE DETAILS
Certificate Name:  Staat der Nederlanden EV Root CA
Certificate Signature Algorithm:  sha256RSA
SHA1 Fingerprint: 76 e2 7e c1 4f db 82 c1 c0 a6 75 b5 05 be 3d 29 b4 ed db bb
Valid From:  2012-12-08
Valid To:  2022-12-08
http://cert.pkioverheid.nl/EVRootCA.cer

HIERARCHY INFORMATION
The PKIoverheid EV hierarchy consists of three tiers; Root CA, Intermediate Subroot CA and CSP Subroot CA. This hierarchy is described in further detail below:

Tier 1: Root CA
Staat der Nederlanden EV Root CA
This internally operated offline Root CA is the trust anchor of the Extended Validation root hierarchy of PKIoverheid. This CA is only used to sign the Intermediate Subroot CA and corresponding status information.

Tier 2: Intermediate Subroot CA
Staat der Nederlanden EV Intermediair CA
This internally operated offline Intermediate Subroot CA is used to sign CSP Subroot CAs.

Tier 3: CSP Subroot CA 
CSP QuoVadis: QuoVadis CSP - PKI Overheid EV CA
This externally operated online CSP Subroot CA is operated by QuoVadis to issue EV end entity certificates to their subscribers.


POLICY INFORMATION
The operation of PKIoverheid is governed by the Programme of Requirements. This collection of documents contains all requirements CSPs operating under PKIoverheid must adhere to. The English translation of this Programme of Requirements is available through http://www.logius.nl/english/products/access/pkioverheid/. The PoR consists of four parts:
-	Part 1: Introduction
-	Part 2: CSP Requirements
-	Part 3: Certificate Policies
-	Part 4: Definitions and abbreviations

The Extended Validation Root is governed by part 3e of the Programme of Requirements. The Certificate policy - Extended Validation can be downloaded directly from  http://www.logius.nl/fileadmin/logius/product/pkioverheid/documenten/PoR_EN_part3e_v3.6.pdf

AUDIT INFORMATION
The Staat der Nederlanden Root and Domain CAs (Tier 1 and 2) have been audited against "Trust Service Principles and Criteria for Certification Authorities" and "WebTrust®for Certification Authorities – SSL Baseline Requirements Audit Criteria, Version 1.1 – January 2013" by KPMG Advisory (http://www.kpmg.com/nl/nl/Pages/default.aspx)
The Audit Report and Management’s Assertions can be found here: http://cert.webtrust.org/SealFile?seal=1652&file=pdf

With regard to the PKIoverheid Extended Validation Root a point-in-time audit has been executed by KPMG. The Management Assertion and Independent Auditor’s Report of this audit have been attached to the bug of this submission request. 
 

The QuoVadis CSP (Tier3) has been audited against "Webtrust for Certification Authorities", "Webtrust for Extended Validation" and "Webtrust for Baseline Requirements" by Ernst & Young (http://www.ey.com).
The Audit Reports and Management’s Assertions are available here: 
-	https://cert.webtrust.org/ViewSeal?id=1503 
-	https://cert.webtrust.org/ViewSeal?id=1508 
-	https://cert.webtrust.org/ViewSeal?id=1520 
Auditor: Ernst & Young
Auditor Website: http://www.ey.com 


Furthermore QuoVadis has been audited against the "Scheme for the certification of Certification Authorities against ETSI TS 101 456" by BSI (http://www.bsigroup.com/)
The Certificate of Registration can be found here: http://www.quovadisglobal.com/~/media/Files/ Files_Global/ETS%20010%20eCertificate.ashx

DETAILS
Further details, including an analysis of the Recommended and Problematic Practices can be found in the "20140527StaatDerNederlandenEVRootCAInclusionRequest" document attached to this bug report.
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Duplicate of this bug: 1015862
Summary: Staat der Nederlanden EV Root CA Inclusion Request → Staat der Nederlanden G3 and EV Root CA Inclusion Request
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
Whiteboard: EV - Information incomplete
With regard to the highlighted items concerning our Staat der Nederlanden Root CA - G3: 

As per BR paragraph 17.1 section 4 we have included the requirements from the BRs in our PKIoverheid Certificate Policy (Programma van Eisen) part 3b based on ETSI TS 102 042 as from 7/1/2012. All our CSPs are annually audited against ETSI TS 101 456 and our CPs by an independent auditor (BSI Management). Compliance with our CP part 3b means compliance with the BRs. The auditor from BSI makes a statement about this in the detailed audit report. 

At this moment we are in the midst of a migration process were we will phase out the BR requirements in our CP part 3b and require from our CSPs, if they issue PKIoverheid SSL certs, that they are audited against ETSI TS 102 042 (http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.04.01_60/ts_102042v020401p.pdf) by an independent auditor (BSI Management). More specific: the CSPs will be audited against the NCP- combined with OVCP- and PTC-BR requirements as stated in ETSI TS 102 042. Our CSP QuoVadis will be the first CSP who will be audited against these requirements. The ETSI TS 102 042 certificate (including a reference to the NCP, OVCP and PTC-BR requirements) from QuoVadis will be publicly available coming august. The ETSI 102 042 certificate from our CSP KPN will be publicly available coming October. The ETSI TS 102 042 certification form our other CSPs, if they issue PKIoverheid SSL certs, will follow end this year or early 2015.     

If deemed necessary, the auditor from BSI Management can confirm the above explanation.

Please let me know if you have any questions. 

Thanks. 

Regards,
Mark
Thanks for the update. Please add a comment to this bug when the ETSI TS 102 042 (with PTC-BR) audit statements are available for the two non-constrained subCAs.
Whiteboard: EV - Information incomplete → EV - BR audits from subCAs
Please find attached the ETSI TS 102 042 certificate for the Quo Vadis CSP that operates under the PKIoverheid EV root. The certificate includes a reference to the NCP, OVCP and PTC-BR requirements. Could you indicate whether this certificate satisfies the request for additional information in the Initial CA Information Document for the PKIoverheid EV root?

The CSP under the PKIoverheid G3 root - KPN CSP - will have their ETSI 102 042 certificate available in October. When it becomes available I will include it in this bug report. 

If you have any questions please contact me.

Thanks and kind regards,
Douglas
(In reply to Douglas Skirving from comment #8)
> Please find attached the ETSI TS 102 042 certificate for the Quo Vadis CSP
> that operates under the PKIoverheid EV root. The certificate includes a
> reference to the NCP, OVCP and PTC-BR requirements. Could you indicate
> whether this certificate satisfies the request for additional information in
> the Initial CA Information Document for the PKIoverheid EV root?

Yes.

But now I'm having trouble with links to the policy documents. Please tell me the new urls...
Document Repository (Dutch): http://www.logius.nl/producten/toegang/pkioverheid/aansluiten-als-csp/programma-van-eisen/ 
Document Repository (English): http://www.logius.nl/english/products/access/pkioverheid/
Attached image EV-Check-Success.png
Attached file Completed CA Information Document (obsolete) —
This request has been added to the queue for public discussion. 
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - BR audits from subCAs → EV - Information confirmed complete
Please find attached the requested certification of KPN Corporate Market (ETSI 102 042 with PTC-BR).
Attached file ETS_001[1].pdf
Please find attached the ETSI 101 456 certification of KPN Corporate Market.
Attachment #8488276 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from Staat der Nederlanden to include the “Staat der Nederlanden Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates; turn on the Websites and Email trust bits for the “Staat der Nederlanden Root CA - G3” root; turn on the Websites trust bit for the “Staat der Nederlanden EV Root CA”; and enable EV treatment for the “Staat der Nederlanden EV Root CA” root. The “Staat der Nederlanden Root CA - G3” root will eventually replace the first and second generations of this root that were included via Bugzilla Bug #243424 and Bug #436056.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “Staat der Nederlanden Root Renewal Request”.

Please actively review, respond, and contribute to the discussion.

A representative of Staat der Nederlanden must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In Public Discussion
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/about/governance/policies/security-group/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to include the “Staat der Nederlanden Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates; turn on the Websites and Email trust bits for the “Staat der Nederlanden Root CA - G3” root; turn on the Websites trust bit for the “Staat der Nederlanden EV Root CA”; and enable EV treatment for the “Staat der Nederlanden EV Root CA” root. The “Staat der Nederlanden Root CA - G3” root will eventually replace the first and second generations of this root that were included via Bugzilla Bug #243424 and Bug #436056.

Section 4 [Technical]. I am not aware of instances where Staat der Nederlanden has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevancy and Policy]. Staat der Nederlanden appears to provide a service relevant to Mozilla users: It is the Dutch government PKI (a.k.a. PKIoverheid), designed for trustworthy electronic communication within and with the Dutch government. Each root has one or more sub CAs known as domain CAs or intermediate CAs. Each domain or intermediate CA services multiple Certificate Service Providers (CSPs). The CSPs (commercial and governmental organisations) issue several types of certificates, such as authentication, encryption, non-repudiation and SSL, to end-users. End-users can be companies and governmental organisations. The PKIoverheid does not issue certificates directly to end-users, the PKIoverheid only issues certificates to CSPs. The Ministry of the Interior and Kingdom Relations (represented by Logius) is the owner of the PKIoverheid. Logius supports the Dutch Minister of the Interior and Kingdom Relations with the management and control of the PKI system.

Policies are documented in the documents published on their website and listed in the entries on the pending applications list. The main documents of interest are provided in Dutch and English.

Document Repository (Dutch): https://www.logius.nl/ondersteuning/pkioverheid/aansluiten-als-csp/programma-van-eisen/

Document Repository (English): https://www.logius.nl/languages/english/pkioverheid/ 

Staat der Nederlanden Root and Domain CAs (Tier 1 and 2)
CP (English):
Part 3a: Certificate policy Government, Companies and Organizations (https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3a_v3.6.pdf )
Part 3b: Certificate policy Services 
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3b_v3.6.pdf )
Part 3c: Certificate policy Citizen 
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3c_v3.6.pdf )
Part 3d: Certificate policy Autonomous Devices 
(https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3d_v3.6.pdf )
Part 3e: Certificate policy - Extended Validation (http://www.logius.nl/fileadmin/logius/product/pkioverheid/documenten/PoR_EN_part3e_v3.6.pdf )

EV CP: https://www.logius.nl/fileadmin/logius/ns/diensten/pkioverheid/programma-van-eisen/PoR_EN_part3e_v3.6.pdf 


Section 7 [Validation]. Staat der Nederlanden appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: The requirements in the Programme of Requirements(PoR_EN_part3b_v3.6.pdf) regarding the subject.commonName (page 56) and subjectAltName.dNSName (page 64) state: “The subscriber MUST prove that the organization can use this name. In services server certificates [OID 2.16.528.1.1003.1.2.2.6 and 2.16.528.1.1003.1.2.5.6] the CSP MUST check recognized registers (Stichting Internet Domeinregistratie Nederland (SIDN) or Internet Assigned Numbers Authority (IANA)) to find out whether the subscriber is the domain name owner or whether the subscriber is exclusively authorized by the registered domain name owner to use the domain name on behalf of the registered domain name owner.”

* Email: The requirements on the SubjectAltName.rfc822Name attribute in part 3a of the PoR (PoR_EN_part3a_v3.6.pdf) (page 53) state: “If the e-mail address is included in the certificate, the CSP MUST:
- have the subscriber sign his/her approval for these and;
- check that the e-mail address belongs to the subscriber's domain, or;
- check that the e-mail address belongs to the subscriber (e.g. the professional) and that this person has access to the e-mail

* Code: Not requesting the code signing trust bit.

Section 18 [Certificate Hierarchy]. 
The PKIoverheid does not issue certificates directly to end-users, the PKIoverheid only issues certificates to CSPs. PKIoverheid is an established Super-CA that has demonstrated compliance to the requirements listed here: https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs

* CSPs that want to issue certificates under the PKIoverheid hierarchy have to be certified against ETSI EN 319 411 and/or ETSI TS 102 042 in accordance with the TTP.NL scheme. In addition the CSP must demonstrate that it fulfils the additional PKIoverheid requirements by means of an unqualified audit opinion.
See section 2.2 of part 2 of the PKIoverheid Programme of Requirements (PoR_EN_part2_v3.6.pdf).

* The PKIoverheid G3 hierarchy consists of three tiers; Root CA, Domain Subroot CA and CSP Subroot CA. 
Tier 1: Root CA
** Staat der Nederlanden Root CA – G3 This internally operated offline Root CA is the trust anchor of the third generation root hierarchy of PKIoverheid. This CA is only used to sign Domain Subroot CA’s and corresponding status information.
Tier 2: Domain Subroot CAs
** Domain Organisation Person: Staat der Nederlanden Organisatie Persoon CA – G3 This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Organisation Person.
Tier 3: Organisation Person CSP Subroot CA
** At present no CSP Subroot CA has been issued in the domain Organisation Person.
** Domain Organisation Services: Staat der Nederlanden Organisatie Services CA – G3 This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Organisation Services.
Tier 3: Organisation Person CSP Subroot CA
** CSP KPN Corporate Market: KPN Corporate Market CSP Organisatie Services CA - G3 This externally operated online CSP Subroot CA is operated by KPN Corporate Market to issue end entity certificates to their subscribers.
 Domain Citizen: Staat der Nederlanden Burger CA – G3 This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Citizen.
Tier 3: Citizen CSP Subroot CA
** At present no CSP Subroot CA has been issued in the domain Organisation Person.
** Domain Autonomous Devices: Staat der Nederlanden Autonome Apparaten CA – G3 This internally operated offline Domain Subroot CA is used to sign CSP Subroot CAs in the domain Autonomous Devices.
Tier 3: Autonomous Devices CSP Subroot CA
** At present no CSP Subroot CA has been issued in the domain Organisation Person.
Please see section 2.4 of part 1 of the PKIoverheid Programme of Requirements (PoR_EN_part1_v3.6.pdf) for more information on the PKI design.

* The PKIoverheid EV hierarchy consists of three tiers; Root CA, Intermediate Subroot CA and CSP Subroot CA.
Tier 1: Root CA
** Staat der Nederlanden EV Root CA This internally operated offline Root CA is the trust anchor of the Extended Validation root hierarchy of PKIoverheid. This CA is only used to sign the Intermediate Subroot CA and corresponding status information.
Tier 2: Intermediate Subroot CA
** Staat der Nederlanden EV Intermediair CA This internally operated offline Intermediate Subroot CA is used to sign CSP Subroot CAs.
Tier 3: CSP Subroot CA
** CSP QuoVadis: QuoVadis CSP - PKI Overheid EV CA This externally operated online CSP Subroot CA is operated by QuoVadis to issue EV end entity certificates to their subscribers.

* KPN Corporate Market CSP CA (Tier3)
CPS (Dutch): https://certificaat.kpn.com/files/CPS/KPN_PKIoverheid_CPS_v4.19.pdf 
Relying Party Agreement (English): https://certificaat.kpn.com/files/voorwaarden/Relying%20Party%20Agreement%20v1.3.1.pdf 

* QuoVadis CSP - PKI Overheid EV CA (Tier3)
CPS (Dutch): https://www.quovadisglobal.com/~/media/Files/Repository/QV_CPS_PKI_Overheid_V1_1_4.ashx 
Relying Party Agreement (English): https://www.quovadisglobal.com/~/media/Files/Repository/QV_RPA_v1%201.ashx

* The other CSPs in the PKIoverheid ecosystem have not yet been issued with subroots under the G3 or EV hierarchy. 
More information on the other CSPs can be found in Bug #551399 


EV Policy OID: 2.16.528.1.1003.1.2.7
** EV treatment is requested for the “Staat der Nederlanden EV Root CA” root

OCSP:
http://rootocsp-g3.pkioverheid.nl 
http://domorganisatieservicesocsp-g3.pkioverheid.nl 
http://ocsp3.managedpki.com 
http://evrootocsp.pkioverheid.nl 
http://ocsp.pkioverheid.nl 
http://ocsp.quovadisglobal.com

Potentially Problematic Practices  (http://wiki.mozilla.org/CA:Problematic_Practices)

* Delegation of Domain / Email validation to third parties
Within the PKIoverheid system the CSPs are responsible for the validation of information they include in the end entity certificates they issue. If a CSP chooses to delegate the RA function to another entity, they still need to conform to ETSI EN 319 411 and/or ETSI TS 102 042 and obtain certification to that effect.
** CSPs within PKIoverheid have to adhere to the requirements laid out in part 2 of the Programme of Requirements (PoR_EN_part2_v3.6.pdf) .
As stipulated in section 2.2 of part 2 of the PoR CSPs must demonstrate compliance by
- certifying against ETSI EN 319 411-2, in accordance with the TTP.NL scheme.
- certifying against ETSI TS 102 042, in accordance with the TTP.NL scheme, when issuing Services certificates – [the CSPs will be audited against the NCP- combined with OVCP- and PTC-BR requirements as stated in ETSI TS 102 042.]
- demonstrating the fulfilment of PKIoverheid requirement by means of an unqualified audit opinion.
- certifying against WebTrust for Certification Authorities – Extended Validation audit, when issuing EV certificates
- registering with the ACM (Autoriteit Consument en Markt – Authority for Consumers and Markets).
** Once a CSP can demonstrate compliance it can start the admittance process by making a formal application. This application is then vetted by PKIoverheid. See section 2.3 of part 2 of the PoR for more detail.
** In order to join the PKI for the government, a CSP is certified under the TTP.NL scheme. This scheme is applicable in the Netherlands when becoming certified under ETSI EN 319 411-2 and/or ETSI TS 102 042.
The CSPs are responsible for their own certification. The certification audits can be performed by an auditor accredited for the auditing against the TTP.NL scheme. Currently BSI Group The Netherlands B.V. and PricewaterhouseCoopers Certification B.V. have obtained accreditation of the Raad voor Accreditatie (Dutch Accreditation Council) (http://www.rva.nl)
The TTP.NL schema certificate is valid for three years, with the obligation for the CSPs to undergo a yearly verification audit.


Sections 11-14 [Audit].  
* Staat der Nederlanden Root and Domain CAs (Tier 1 and 2)
Audit Type: WebTrust CA and WebTrust BR
Auditor: KPMG Advisory N.V., http://www.kpmg.com/nl/nl/Pages/default.aspx 
Audit Report: http://cert.webtrust.org/SealFile?seal=1652&file=pdf (2014.03.20)
With regard to the Extended Validation root a point-in-time audit has been executed by KPMG. 
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8429540 (2013.11.19)

* KPN Corporate Market CSP CA (Tier3)
Auditor: BSI, http://www.bsigroup.com/
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8501724  -- ETSI TS 102042 V2.4.1 NCP+, OVCP, PTC-BR (2014.09.30)

* QuoVadis CSP (Tier3)
Auditor: BSI Group 
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8472145 -- ETSI TS 102042 v2.4.1 NCP+, OVCP, PTC-BR  (2014.04.08)

Based on this assessment I intend to approve this request to include the “Staat der Nederlanden Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates; turn on the Websites and Email trust bits for the “Staat der Nederlanden Root CA - G3” root; turn on the Websites trust bit for the “Staat der Nederlanden EV Root CA”; and enable EV treatment for the “Staat der Nederlanden EV Root CA” root.
Whiteboard: EV - In Public Discussion → EV - Pending approval
As per the summary in Comment #18, and on behalf of Mozilla I approve this request from Staat der Nederlanden (a.k.a. PKIoverheid) to include the following root certificates:

** “Staat der Nederlanden Root CA - G3” (websites, email)
** “Staat der Nederlanden EV Root CA” (websites), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending approval → EV - Approved - awaiting NSS and PSM changes
Depends on: 1108770
Depends on: 1108780
I have filed bug #1108770 against NSS and bug #1108780 against PSM for the actual changes.
Whiteboard: EV - Approved - awaiting NSS and PSM changes → In NSS 3.18, Firefox 38 -- Pending PSM changes for EV
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.18, Firefox 38 -- Pending PSM changes for EV → In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.