The Netherlands root cert inclusion

RESOLVED FIXED

Status

--
enhancement
RESOLVED FIXED
15 years ago
2 years ago

People

(Reporter: bart.knubben, Assigned: hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

175.42 KB, application/pdf
Details
(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8
Build Identifier: 

We (the Dutch PA) contacted Frank Hecker about adding The Netherlands root
certificate to Mozilla and he asked us to file the request as a bug report.

"PKI voor de Overheid" (hereafter PKIoverheid; http://www.pkioverheid.nl) is the
name for the Public Key Infrastructure designed for trustworthy electronic
communication within and with the Dutch government. To reach the latter goal a
national PKI certificate hierarchy has been realised. This national PKI
hierarchy consists of 1 root and 3 domains each having several Certificate
Service Providers (CSPs) underneath. The Policy Authority supports the Dutch
Minister of Interior and Kingdom Relations with the management and control of
the PKI system. 

At this moment the use of PKIoverheid certificates is growing and shortly
ssl-certificates will be issued. To support end-users and relying parties
optimal it is important that the root certificate of the PKIoverheid is already
trusted and thus installed in the browser or operating system of the end-user
and relying party. Therefore we would like the root certificate of the "Staat
der Nederlanden" (The Netherlands) to be included in the certificate trust list
of Mozilla. The root cert can be found here:
http://www.pkioverheid.nl/contents/pages/00000325/staatdernederlandenrootca.crt

At the moment the Policy Authority is auditted against the WebTrust for CAs
program. We will update the bug, when the WebTrust audit has been completed
successfully. 

Reproducible: Always
Steps to Reproduce:
(Reporter)

Comment 1

14 years ago
Created attachment 159705 [details]
WebTrust Audit

The document (PDF) contains the Accountant Report from KPMG and the Assertion
of Management from the Dutch Ministry of the Interior and Kingdom Relations.
(Assignee)

Comment 2

14 years ago
(In reply to comment #1)
> Created an attachment (id=159705)
> WebTrust Audit
> 
> The document (PDF) contains the Accountant Report from KPMG and the Assertion
> of Management from the Dutch Ministry of the Interior and Kingdom Relations.

Thank you for updating the bug with this information, and congratulation on
completing your WebTrust audit! I have the following additional questions:

1. Do you have a public URL yet for the WebTrust audit report and management
assertions document? (For example, a link from the WebTrust site.) I'd like to
reference this URL on a web page I'm maintaining with CA information.

2. I was looking for your Certification Practice Statement, and found this:

http://www.pkioverheid.nl/contents/pages/00000386/cps_pa_pkioverheid_v1_0.pdf

Is this the current CPS? Is the above URL the official URL for this document? Is
the document also available in an English translation?

3. What is the URL for downloading the CRL for the Staat der Nederlanden Root CA?

4. I presume that the CSPs under the Policy Authority will issue both SSL server
certificates and email certificates. Will they also issue certificates for
object signing (e.g., of executable code objects)? (We need this information to
determine how to set the "trust bits" for the root CA. For now I will assume
that the root CA certificate should be trusted in Mozilla for all purposes.)

Now that you have completed the WebTrust audit I expect I will be able to
approve your CA certificate for inclusion in Mozilla. (I have some other
requests to process as well, so I'm not going to officially do this right away.)
After that I will file a bug to add the CA certificate to the NSS library used
by Mozilla, and sometime after that the CA certificate should appear in Mozilla,
Firefox, etc. Note that at this time we can't commit to a firm schedule for when
the CA certificate will be distributed with Mozilla, etc.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Reporter)

Comment 3

14 years ago
Thanks for your quick reply. Below the answers to your four additional questions.

1. At this moment our auditor, KPMG, is submitting the WebTrust report to the
American Institute of Certified Public Accountants (AICPA). The AICPA will
publish the report on a public site and will issue a webseal to the PKIoverheid.
The PKIoverheid publishes the webseal on www.pkioverheid.nl. Clicking on the
seal allows users to link to the WebTrust report and the management assertion of
the PKIoverheid. At this moment we don't know what the exact URL will be, an
exmaple is https://cert.webtrust.org/ViewSeal?id=304. On
http://www.cpawebtrust.org/abtseals.htm the sites are listed that have passed
the WebTrust examination by a licensed Certified Public Accountant (CPA),
Chartered Accountant, or equivalent. When we have the webseal, we will send you
the definitive URL.

2. Yes, this is the current CPS and official. Unfortunately this document is not
available in English.

3. The URL for the CRL that is issued by the Staat der Nederlanden Root CA is
http://crl.pkioverheid.nl/LatestCRL.crl 

4. The CSP's issue personal certificates for the electronic signature (in
accordance with the European Directive on Electronic Signatures), authentication
and encryption. These certificates can be used for e-mail but e.g. also for
other applications (e.g. signing and encrypting a PDF and authenticating to a
website). The CSP's also issues non-personal certificates to organisations.
These organisations can use these certificates for authentication and encryption
purposes (e.g. objectsigning, SSL, e-mailserver signing). The reason why we
don't mention the electonic signature is that in our definition the electronic
signature is reserved to persons, because only persons can create an electronic
signature in accordance with the European Directive (qualified certificates).
When an organisation signs an object, we will call this authentication. So,your
assumption that the root CA certficate should be trusted in Mozilla for all
purposes is the right one.
(Assignee)

Updated

14 years ago
Depends on: 261374
(Assignee)

Comment 4

14 years ago
I'm approving this request, and have filed bug 261374 to get the actual
certificate added to NSS. Please submit any technical comments related to the
certificate, etc., to bug 261374; any other comments should go in this bug.

Note that in order for the certificate to be distributed with Mozilla, Firefox,
Thunderbird, etc., it must first be added to a release of the NSS library and
then that release of NSS must be added to some release of Mozilla, etc. At this
time we can't commit to a particular date or release for when all that will be
complete.

Comment 5

14 years ago
Frank,

Nelson has added this root CA cert to NSS.  So
you can mark the bug fixed now.
(Assignee)

Comment 6

14 years ago
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and
removing dependency on bug 261734.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
No longer depends on: 261374
Resolution: --- → FIXED

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.