I found the following inconsistencies and issues in the CPS of the delegated CAs from PKIOverheid to QuoVadis, of which the latest version I could find is available at . The issues are ordered in order of perceived importance, which in this case is also in reverse order of discovery.
1.) BR 4.9.3: "The CA SHALL publicly disclose the instructions through a readily accessible online means and in section 1.5.2 of their CPS."
The section '126.96.36.199 - Revocation Reporting' in this CPS only links to a web portal which requires login, or phone numbers. The same data is duplicated in section 4.9.3 of the CPS. I believe neither of the included instructions qualify as "readily accessible online means", as this makes it near impossible to report a key compromise to the CA through official channels.
2.) The CPS limits in 4.9.2 those who can request revocation to
- The CertificateManager
- The Subscriber
- QuoVadis as a TSP
- Organisations of Registered Professionals
- Authorities/regulators who are involved in the regulation of PKIo activities e.g. Logius.
- Application Software Suppliers
I believe this is not in line with the same section in the BR, which states 'The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, Subscribers, Relying Parties, Application Software Suppliers, and other third parties may submit Certificate Problem Reports informing the issuing CA of reasonable cause to revoke the certificate.'. Specifically, the provided list does not include third parties with proof of key compromise.
3.) At 2020-06-22 I've tried contacting the contact in '1.5.1 - Organisation Administering the Document' (which calls out to contact that address for comments regarding the CPS) and '1.5.2 - Contact person' (which contains the same mail address) about point 4 below, but have as of yet not received a reply, nor a confirmation mail. This implies that the contact info is incorrect.
4.) The CPS has a changelog that contains entries for previous versions that have version numbers higher than the current version. Although denoted by "previous document", this is confusing and the MRSP requires increasing the version number for CPS updates, implying resetting the number is not desired.