Closed Bug 243424 Opened 19 years ago Closed 18 years ago
The Netherlands root cert inclusion
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8 Build Identifier: We (the Dutch PA) contacted Frank Hecker about adding The Netherlands root certificate to Mozilla and he asked us to file the request as a bug report. "PKI voor de Overheid" (hereafter PKIoverheid; http://www.pkioverheid.nl) is the name for the Public Key Infrastructure designed for trustworthy electronic communication within and with the Dutch government. To reach the latter goal a national PKI certificate hierarchy has been realised. This national PKI hierarchy consists of 1 root and 3 domains each having several Certificate Service Providers (CSPs) underneath. The Policy Authority supports the Dutch Minister of Interior and Kingdom Relations with the management and control of the PKI system. At this moment the use of PKIoverheid certificates is growing and shortly ssl-certificates will be issued. To support end-users and relying parties optimal it is important that the root certificate of the PKIoverheid is already trusted and thus installed in the browser or operating system of the end-user and relying party. Therefore we would like the root certificate of the "Staat der Nederlanden" (The Netherlands) to be included in the certificate trust list of Mozilla. The root cert can be found here: http://www.pkioverheid.nl/contents/pages/00000325/staatdernederlandenrootca.crt At the moment the Policy Authority is auditted against the WebTrust for CAs program. We will update the bug, when the WebTrust audit has been completed successfully. Reproducible: Always Steps to Reproduce:
The document (PDF) contains the Accountant Report from KPMG and the Assertion of Management from the Dutch Ministry of the Interior and Kingdom Relations.
(In reply to comment #1) > Created an attachment (id=159705) > WebTrust Audit > > The document (PDF) contains the Accountant Report from KPMG and the Assertion > of Management from the Dutch Ministry of the Interior and Kingdom Relations. Thank you for updating the bug with this information, and congratulation on completing your WebTrust audit! I have the following additional questions: 1. Do you have a public URL yet for the WebTrust audit report and management assertions document? (For example, a link from the WebTrust site.) I'd like to reference this URL on a web page I'm maintaining with CA information. 2. I was looking for your Certification Practice Statement, and found this: http://www.pkioverheid.nl/contents/pages/00000386/cps_pa_pkioverheid_v1_0.pdf Is this the current CPS? Is the above URL the official URL for this document? Is the document also available in an English translation? 3. What is the URL for downloading the CRL for the Staat der Nederlanden Root CA? 4. I presume that the CSPs under the Policy Authority will issue both SSL server certificates and email certificates. Will they also issue certificates for object signing (e.g., of executable code objects)? (We need this information to determine how to set the "trust bits" for the root CA. For now I will assume that the root CA certificate should be trusted in Mozilla for all purposes.) Now that you have completed the WebTrust audit I expect I will be able to approve your CA certificate for inclusion in Mozilla. (I have some other requests to process as well, so I'm not going to officially do this right away.) After that I will file a bug to add the CA certificate to the NSS library used by Mozilla, and sometime after that the CA certificate should appear in Mozilla, Firefox, etc. Note that at this time we can't commit to a firm schedule for when the CA certificate will be distributed with Mozilla, etc.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Thanks for your quick reply. Below the answers to your four additional questions. 1. At this moment our auditor, KPMG, is submitting the WebTrust report to the American Institute of Certified Public Accountants (AICPA). The AICPA will publish the report on a public site and will issue a webseal to the PKIoverheid. The PKIoverheid publishes the webseal on www.pkioverheid.nl. Clicking on the seal allows users to link to the WebTrust report and the management assertion of the PKIoverheid. At this moment we don't know what the exact URL will be, an exmaple is https://cert.webtrust.org/ViewSeal?id=304. On http://www.cpawebtrust.org/abtseals.htm the sites are listed that have passed the WebTrust examination by a licensed Certified Public Accountant (CPA), Chartered Accountant, or equivalent. When we have the webseal, we will send you the definitive URL. 2. Yes, this is the current CPS and official. Unfortunately this document is not available in English. 3. The URL for the CRL that is issued by the Staat der Nederlanden Root CA is http://crl.pkioverheid.nl/LatestCRL.crl 4. The CSP's issue personal certificates for the electronic signature (in accordance with the European Directive on Electronic Signatures), authentication and encryption. These certificates can be used for e-mail but e.g. also for other applications (e.g. signing and encrypting a PDF and authenticating to a website). The CSP's also issues non-personal certificates to organisations. These organisations can use these certificates for authentication and encryption purposes (e.g. objectsigning, SSL, e-mailserver signing). The reason why we don't mention the electonic signature is that in our definition the electronic signature is reserved to persons, because only persons can create an electronic signature in accordance with the European Directive (qualified certificates). When an organisation signs an object, we will call this authentication. So,your assumption that the root CA certficate should be trusted in Mozilla for all purposes is the right one.
I'm approving this request, and have filed bug 261374 to get the actual certificate added to NSS. Please submit any technical comments related to the certificate, etc., to bug 261374; any other comments should go in this bug. Note that in order for the certificate to be distributed with Mozilla, Firefox, Thunderbird, etc., it must first be added to a release of the NSS library and then that release of NSS must be added to some release of Mozilla, etc. At this time we can't commit to a particular date or release for when all that will be complete.
Frank, Nelson has added this root CA cert to NSS. So you can mark the bug fixed now.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and removing dependency on bug 261734.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
No longer depends on: 261374
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.