Closed Bug 243424 Opened 20 years ago Closed 19 years ago

The Netherlands root cert inclusion


(CA Program :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: bart.knubben, Assigned: hecker)





(1 file)

175.42 KB, application/pdf
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8
Build Identifier: 

We (the Dutch PA) contacted Frank Hecker about adding The Netherlands root
certificate to Mozilla and he asked us to file the request as a bug report.

"PKI voor de Overheid" (hereafter PKIoverheid; is the
name for the Public Key Infrastructure designed for trustworthy electronic
communication within and with the Dutch government. To reach the latter goal a
national PKI certificate hierarchy has been realised. This national PKI
hierarchy consists of 1 root and 3 domains each having several Certificate
Service Providers (CSPs) underneath. The Policy Authority supports the Dutch
Minister of Interior and Kingdom Relations with the management and control of
the PKI system. 

At this moment the use of PKIoverheid certificates is growing and shortly
ssl-certificates will be issued. To support end-users and relying parties
optimal it is important that the root certificate of the PKIoverheid is already
trusted and thus installed in the browser or operating system of the end-user
and relying party. Therefore we would like the root certificate of the "Staat
der Nederlanden" (The Netherlands) to be included in the certificate trust list
of Mozilla. The root cert can be found here:

At the moment the Policy Authority is auditted against the WebTrust for CAs
program. We will update the bug, when the WebTrust audit has been completed

Reproducible: Always
Steps to Reproduce:
Attached file WebTrust Audit
The document (PDF) contains the Accountant Report from KPMG and the Assertion
of Management from the Dutch Ministry of the Interior and Kingdom Relations.
(In reply to comment #1)
> Created an attachment (id=159705)
> WebTrust Audit
> The document (PDF) contains the Accountant Report from KPMG and the Assertion
> of Management from the Dutch Ministry of the Interior and Kingdom Relations.

Thank you for updating the bug with this information, and congratulation on
completing your WebTrust audit! I have the following additional questions:

1. Do you have a public URL yet for the WebTrust audit report and management
assertions document? (For example, a link from the WebTrust site.) I'd like to
reference this URL on a web page I'm maintaining with CA information.

2. I was looking for your Certification Practice Statement, and found this:

Is this the current CPS? Is the above URL the official URL for this document? Is
the document also available in an English translation?

3. What is the URL for downloading the CRL for the Staat der Nederlanden Root CA?

4. I presume that the CSPs under the Policy Authority will issue both SSL server
certificates and email certificates. Will they also issue certificates for
object signing (e.g., of executable code objects)? (We need this information to
determine how to set the "trust bits" for the root CA. For now I will assume
that the root CA certificate should be trusted in Mozilla for all purposes.)

Now that you have completed the WebTrust audit I expect I will be able to
approve your CA certificate for inclusion in Mozilla. (I have some other
requests to process as well, so I'm not going to officially do this right away.)
After that I will file a bug to add the CA certificate to the NSS library used
by Mozilla, and sometime after that the CA certificate should appear in Mozilla,
Firefox, etc. Note that at this time we can't commit to a firm schedule for when
the CA certificate will be distributed with Mozilla, etc.
Ever confirmed: true
Thanks for your quick reply. Below the answers to your four additional questions.

1. At this moment our auditor, KPMG, is submitting the WebTrust report to the
American Institute of Certified Public Accountants (AICPA). The AICPA will
publish the report on a public site and will issue a webseal to the PKIoverheid.
The PKIoverheid publishes the webseal on Clicking on the
seal allows users to link to the WebTrust report and the management assertion of
the PKIoverheid. At this moment we don't know what the exact URL will be, an
exmaple is On the sites are listed that have passed
the WebTrust examination by a licensed Certified Public Accountant (CPA),
Chartered Accountant, or equivalent. When we have the webseal, we will send you
the definitive URL.

2. Yes, this is the current CPS and official. Unfortunately this document is not
available in English.

3. The URL for the CRL that is issued by the Staat der Nederlanden Root CA is 

4. The CSP's issue personal certificates for the electronic signature (in
accordance with the European Directive on Electronic Signatures), authentication
and encryption. These certificates can be used for e-mail but e.g. also for
other applications (e.g. signing and encrypting a PDF and authenticating to a
website). The CSP's also issues non-personal certificates to organisations.
These organisations can use these certificates for authentication and encryption
purposes (e.g. objectsigning, SSL, e-mailserver signing). The reason why we
don't mention the electonic signature is that in our definition the electronic
signature is reserved to persons, because only persons can create an electronic
signature in accordance with the European Directive (qualified certificates).
When an organisation signs an object, we will call this authentication. So,your
assumption that the root CA certficate should be trusted in Mozilla for all
purposes is the right one.
Depends on: 261374
I'm approving this request, and have filed bug 261374 to get the actual
certificate added to NSS. Please submit any technical comments related to the
certificate, etc., to bug 261374; any other comments should go in this bug.

Note that in order for the certificate to be distributed with Mozilla, Firefox,
Thunderbird, etc., it must first be added to a release of the NSS library and
then that release of NSS must be added to some release of Mozilla, etc. At this
time we can't commit to a particular date or release for when all that will be

Nelson has added this root CA cert to NSS.  So
you can mark the bug fixed now.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and
removing dependency on bug 261734.
Closed: 19 years ago
No longer depends on: 261374
Resolution: --- → FIXED
Product: → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.