Dear MSDP community, As requested by Mozilla in the CA Communication survey we've reviewed our implementation of BR 3.2.2.4.1 and 3.2.2.4.5. PKIoverheid only issues OV/EV certificates to subscribers for which the applicant representative has to have had a face-to-face check to confirm the identity of the representative (regardless of which method from 3.2.2.4 is used). The applicant representatives are defined beforehand by the applicant (authority is granted by a managing director, who's authority is checked against the national trade register). The issuing TSPs all use a secured environment in which the subscriber can order certificates. PKIoverheid certificates are mainly issued to Dutch subscribers. The Dutch Chamber of Commerce (de facto the national agency as referred in BR 3.2.2.1) only allows unique organization names, and as mentioned before, the TSP has a complete file of the applicant and it representative(s). In case that there is doubt about the authority of the applicant (whether us ing method 3.2.2.4.1 or 3.2.2.4.5), another method from 3.2.2.4 is used instead. Therefore, the scenario as described earlier on the web (for instance, the Stripe, Inc. case) is, in our eyes, very unlikely. However, the PKIoverheid TSPs are now moving away from these methods per ballot 218.
Please let me know if you have any questions. Kind regards, Jochem van den Berge Logius PKIoverheid Public Key Infrastructure for the Dutch government ........................................................................ Logius Ministry of the Interior and Kingdom Relations (BZK) Wilhelmina van Pruisenweg 52 | 2595 AN | The Hague PO Box 96810 | 2509 JE | The Hague ........................................................................ jochem.vanden.be...@logius.nl<mailto:jochem.vanden.be...@logius.nl> http://www.logius.nl Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy