Thank you for the response Jochem. I am glad to hear that Logius has evaluated the risk and, given the passage of ballot 218, is moving to other methods of domain validation.
- Wayne On Fri, Mar 16, 2018 at 5:55 AM, Berge, J. van den (Jochem) - Logius via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Dear MSDP community, > > As requested by Mozilla in the CA Communication survey we've reviewed our > implementation of BR 3.2.2.4.1 and 3.2.2.4.5. PKIoverheid only issues OV/EV > certificates to subscribers for which the applicant representative has to > have had a face-to-face check to confirm the identity of the representative > (regardless of which method from 3.2.2.4 is used). The applicant > representatives are defined beforehand by the applicant (authority is > granted by a managing director, who's authority is checked against the > national trade register). The issuing TSPs all use a secured environment in > which the subscriber can order certificates. PKIoverheid certificates are > mainly issued to Dutch subscribers. The Dutch Chamber of Commerce (de facto > the national agency as referred in BR 3.2.2.1) only allows unique > organization names, and as mentioned before, the TSP has a complete file of > the applicant and it representative(s). In case that there is doubt about > the authority of the applicant (whether us > ing method 3.2.2.4.1 or 3.2.2.4.5), another method from 3.2.2.4 is used > instead. Therefore, the scenario as described earlier on the web (for > instance, the Stripe, Inc. case) is, in our eyes, very unlikely. However, > the PKIoverheid TSPs are now moving away from these methods per ballot 218. > > Please let me know if you have any questions. > > > Kind regards, > > Jochem van den Berge > > Logius PKIoverheid > Public Key Infrastructure for the Dutch government > ........................................................................ > Logius > Ministry of the Interior and Kingdom Relations (BZK) > Wilhelmina van Pruisenweg 52 | 2595 AN | The Hague > PO Box 96810 | 2509 JE | The Hague > ........................................................................ > jochem.vanden.be...@logius.nl<mailto:jochem.vanden.be...@logius.nl> > http://www.logius.nl > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u > niet de geadresseerde bent of dit bericht abusievelijk aan u is > toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht > te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van > welke aard ook, die verband houdt met risico's verbonden aan het > elektronisch verzenden van berichten. > This message may contain information that is not intended for you. If you > are not the addressee or if this message was sent to you by mistake, you > are requested to inform the sender and delete the message. The State > accepts no liability for damage of any kind resulting from the risks > inherent in the electronic transmission of messages. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy