PKIoverheid Programme of Requirements TRIAL 5.1.1
Table of Contents
- 1. INTRODUCTION
- 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES
- 3. IDENTIFICATION AND AUTHENTICATION
- 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS
- 4.1 Certificate Application
- 4.2 Certificate application processing
- 4.3 Certificate issuance
- 4.4 Certificate acceptance
- 4.5 Key pair and certificate usage
- 4.6 Certificate renewal
- 4.6.1 Circumstance for certificate renewal
- 4.6.2 Who may request renewal
- 4.6.3 Processing certificate renewal requests
- 4.6.4 Notification of new certificate issuance to subscriber
- 4.6.5 Conduct constituting acceptance of a renewal certificate
- 4.6.6 Publication of the renewal certificate by the CA
- 4.6.7 Notification of certificate issuance by the CA to other entities
- 4.7 Certificate re-key
- 4.7.1 Circumstance for certificate re-key
- 4.7.2 Who may request certification of a new public key
- 4.7.3 Processing certificate re-keying requests
- 4.7.4 Notification of new certificate issuance to subscriber
- 4.7.5 Conduct constituting acceptance of a re-keyed certificate
- 4.7.6 Publication of the re-keyed certificate by the CA
- 4.7.7 Notification of certificate issuance by the CA to other entities
- 4.8 Certificate modification
- 4.8.1 Circumstance for certificate modification
- 4.8.2 Who may request certificate modification
- 4.8.3 Processing certificate modification requests
- 4.8.4 Notification of new certificate issuance to subscriber
- 4.8.5 Conduct constituting acceptance of modified certificate
- 4.8.6 Publication of the modified certificate by the CA
- 4.8.7 Notification of certificate issuance by the CA to other entities
- 4.9 Certificate revocation and suspension
- 4.9.1 Circumstances for revocation
- 4.9.2 Who can request revocation
- 4.9.3 Procedure for revocation request
- 4.9.4 Revocation request grace period
- 4.9.5 Time within which CA must process the revocation request
- 4.9.6 Revocation checking requirement for relying parties
- 4.9.7 CRL issuance frequency (if applicable)
- 4.9.8 Maximum latency for CRLs (if applicable)
- 4.9.9 On-line revocation/status checking availability
- 4.9.10 On-line revocation checking requirements
- 4.9.11 Other forms of revocation advertisements available
- 4.9.12 Special requirements related to key compromise
- 4.9.13 Circumstances for suspension
- 4.9.14 Who can request suspension
- 4.9.15 Procedure for suspension request
- 4.9.16 Limits on suspension period
- 4.10 Certificate status services
- 4.11 End of subscription
- 4.12 Key escrow and recovery
- 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS
- 5.1 Physical controls
- 5.2 Procedural controls
- 5.3 Personnel controls
- 5.3-tpkio31
- 5.3.1 Qualifications, experience, and clearance requirements
- 5.3.2 Background check procedures
- 5.3.3 Training requirements
- 5.3.4 Retraining frequency and requirements
- 5.3.5 Job rotation frequency and sequence
- 5.3.6 Sanctions for unauthorized actions
- 5.3.7 Independent contractor requirements
- 5.3.8 Documentation supplied to personnel
- 5.4 Audit logging procedures
- 5.5 Records archival
- 5.6 Key changeover
- 5.7 Compromise and disaster recovery
- 5.8 CA or RA termination
- 6. TECHNICAL SECURITY CONTROLS
- 6.1 Key pair generation and installation
- 6.2 Private Key Protection and Cryptographic Module Engineering Controls
- 6.2-tpkio36
- 6.2.1 Cryptographic module standards and controls
- 6.2.2 Private key (n out of m) multi-person control
- 6.2.3 Private key escrow
- 6.2.4 Private key backup
- 6.2.5 Private key archival
- 6.2.6 Private key transfer into or from a cryptographic module
- 6.2.7 Private key storage on cryptographic module
- 6.2.8 Method of activating private key
- 6.2.9 Method of deactivating private key
- 6.2.10 Method of destroying private key
- 6.2.11 Cryptographic Module Rating
- 6.3 Other aspects of key pair management
- 6.4 Activation data
- 6.5 Computer security controls
- 6.6 Life cycle technical controls
- 6.7 Network security controls
- 6.8 Time-stamping
- 7. CERTIFICATE, CRL, AND OCSP PROFILES
- 7.1 Certificate profile
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1 Version number(s)
- 7.1.2 Certificate extensions
- 7.1.3 Algorithm object identifiers
- 7.1.4 Name forms
- 7.1.5 Name constraints
- 7.1.6 Certificate policy object identifier
- 7.1.7 Usage of Policy Constraints extension
- 7.1.8 Policy qualifiers syntax and semantics
- 7.1.9 Processing semantics for the critical Certificate Policies extension
- 7.2 CRL profile
- 7.3 OCSP profile
- 7.1 Certificate profile
- 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS
- 9. OTHER BUSINESS AND LEGAL MATTERS
- 9.1 Fees
- 9.2 Financial responsibility
- 9.3 Confidentiality of business information
- 9.4 Privacy of personal information
- 9.4.1 Privacy plan
- 9.4.2 Information treated as private
- 9.4.3 Information not deemed private
- 9.4.4 Responsibility to protect private information
- 9.4.5 Notice and consent to use private information
- 9.4.6 Disclosure pursuant to judicial or administrative process
- 9.4.7 Other information disclosure circumstances
- 9.5 Intellectual property rights
- 9.6 Representations and warranties
- 9.7 Disclaimers of warranties
- 9.8 Limitations of liability
- 9.9 Indemnities
- 9.10 Term and termination
- 9.11 Individual notices and communications with participants
- 9.12 Amendments
- 9.13 Dispute resolution provisions
- 9.14 Governing law
- 9.15 Compliance with applicable law
- 9.16 Miscellaneous provisions
- 9.17 Other provisions
- Appendix A: Requirements (CP) for personal authentication certificates (OID 2.16.528.1.1003.1.2.9.1)
- Appendix B: Requirements (CP) for personal signature certificates (OID 2.16.528.1.1003.1.2.9.2)
- Appendix C: Requirements (CP) for personal encryption certificates (OID 2.16.528.1.1003.1.2.9.3)
- Appendix D: Requirements (CP) for services authentication certificates (OID 2.16.528.1.1003.1.2.9.4)
- Appendix E: Requirements (CP) for services encryption certificates (OID 2.16.528.1.1003.1.2.9.5)
- Appendix F: Requirements (CP) for services signature certificates (OID 2.16.528.1.1003.1.2.9.10)
- Appendix G: Requirements (CP) for server certificates (OID 2.16.528.1.1003.1.2.9.6)
1. INTRODUCTION
1.1 Overview
The PKIoverheid TRIAL (G3) hierarchy (PKIoverheid TRIAL) has been established by the Policy Authority PKIoverheid to enable TSPs and subscribers to deploy non-production (test) PKIoverheid certificates in testing or staging environements with the intent to test the suitability of their systems with (new types of) PKIoverheid certificates. This document is issued by the PA PKIoverheid to define the policies that Trust Service Providers operating in this PKI are required to adhere to.
For more information about general PKIoverheid concepts, please refer to Part 1 of the Programme of Requirements which can be found on the Logius website
1.2 Document name and identification
This document is the Policy Authority PKIoverheid TRIAL Certificate Policy (“CP”). It sets forth the policy requirements that the PA PKIoverheid imposes on Trust Service Providers (TSPs) which are part of the PKIoverheid TRIAL (G3) hierarchy.
The following Policy identifiers are reserved for use by TSPs as a means of asserting compliance with specific requirements imposed by this CP:
OID | CP |
---|---|
2.16.528.1.1003.1.2.9.1 | Identifies TRIAL personal authenticity certificates within the PKIoverheid TRIAL Organization Person domain, that contains the public key for identification and authentication. |
2.16.528.1.1003.1.2.9.2 | Identifies TRIAL personal signature certificate within the PKIoverheid TRIAL Organization Person domain, that contains the public key for the qualified electronic signature/non repudiation. |
2.16.528.1.1003.1.2.9.3 | Identifies TRIAL personal confidentiality certificate within the PKIoverheid TRIAL Organization Person domain, that contains the public key for confidentiality. |
2.16.528.1.1003.1.2.9.4 | Identifies TRIAL services authenticity certificates within the PKIoverheid TRIAL Organization Services domain, that contains the public key for identification and authentication. |
2.16.528.1.1003.1.2.9.5 | Identifies TRIAL services confidentiality certificate within the PKIoverheid TRIAL Organization Services domain, that contains the public key for confidentiality. |
2.16.528.1.1003.1.2.9.6 | Identifies TRIAL Server certificates within the PKIoverheid TRIAL Organization Services domain (formerly known as TRIAL Type 1 Server Certificates). |
2.16.528.1.1003.1.2.9.6.1 | Identifies TRIAL Server type 2 certificates [DEPRECATED]. |
2.16.528.1.1003.1.2.9.6.2 | Identifies TRIAL Server type 3 certificates [DEPRECATED]. |
2.16.528.1.1003.1.2.9.10 | Identifies TRIAL services signature certificates within the PKIoverheid TRIAL Organization Services domain, that contains the public key for the qualified electronic signature/non repudiation. Also known as eSeals. |
Signature certificates (2.16.528.1.1003.1.2.9.2
and 2.16.1.1003.1.2.9.10
) are designed to match the production certificates certificate profile as closely as possible. However, due to the fact that TRIAL certificates are not meant to be used in a production environment, they MUST NOT assert specific profile extensions marking them as a qualified certificates as meant in regulation 910/2014 (eIDAS).
1.2.1 Revisions
Version | Date | Remarks |
---|---|---|
5.0 | 10 Mar 2020 | Major revision of the orginal PKIoverheid TEST PvE v2.0 from 2012 |
5.1 | 27 Aug 2020 |
|
5.1.1 | 01 Sep 2021 | Change T001: Set life-time of all certificates to 1 year, deprecating different server certificate types. Existing requirement: Requirement 6.3.2-tpkio37 became applicable to all TRIAL certificate types. Repealed: Requirement 6.3.2-tpkio38, Requirement 6.3.2-tpkio39, Requirement 6.3.2-tpkio40, Requirement 7.1.6-tpkio91, Requirement 7.1.6-tpkio92. Change T002: Revised Certificate Profiles. In TRIAL PoR 5.1 some Certificate Profile fields were missing due to typos in labels of individual requirements resulting in ommissions in the automatically generated Appendices. These typos will now be fixed. Existing requirement: Yes, Appendices A through G Modifications: Added to Appendix A: 7.1.2-tpkio46, 7.1.2-tpkio48, 7.1.2-tpkio49, 7.1.2-tpkio59, 7.1.2-tpkio60, 7.1.2-tpkio64, 7.1.2-tpkio65, 7.1.2-tpkio82, 7.2-tpkio96. Added to Appendix B: 7.1.2-tpkio46, 7.1.2-tpkio48, 7.1.2-tpkio49, 7.1.2-tpkio52, 7.1.2-tpkio53, 7.1.2-tpkio54, 7.1.2-tpkio59, 7.1.2-tpkio60, 7.1.2-tpkio64, 7.1.2-tpkio65, 7.1.2-tpkio82. Added to Appendix C: 7.1.2-tpkio46, 7.1.2-tpkio49, 7.1.2-tpkio59, 7.1.2-tpkio60, 7.1.2-tpkio64, 7.1.2-tpkio65, 7.1.2-tpkio82. Added to Appendix D: 7.1.2-tpkio46, 7.1.2-tpkio49, 7.1.2-tpkio59, 7.1.2-tpkio60, 7.1.2-tpkio82. Added to Appendix E: 7.1.2-tpkio46, 7.1.2-tpkio49, 7.1.2-tpkio59, 7.1.2-tpkio60, 7.1.2-tpkio82. Added to Appendix F: 7.1.2-tpkio49, 7.1.2-tpkio59, 7.1.2-tpkio60, 7.1.2-tpkio82, 7.1.4-tpkio77, 7.1.4-tpkio120. Added to Appendix G: 7.1.2-tpkio46, 7.1.2-tpkio49, 7.1.2-tpkio59, 7.1.2-tpkio82. Change T003: QcStatement is missing from TRIAL Organization Person certificates. This needs to be fixed. New requirement: 7.1.2-tpkio124. Added requirement 7.1.2-pkio124 which describes the qcStatements for TRIAL Organization Person certificates. Change T004: Limit the number of extensions:subjectAltName:dNSName entries to 10. Existing requirement: 7.1.4-tpkio83 Modifications: In 7.1.4-tpkio83 Limit the number of extensions:subjectAltName:dNSName entries to 10. |
1.2.2 Relevant dates
No stipulation as of 10 Mar 2020. This section will be updated as new versions of this CP are published.
1.3 PKI participants
1.3.1 Certification authorities
In this document the distinction is made between he term Certification Authority (CA) and Trust Service Provider (TSP). In international usage, “CA” is an umbrella term that refers to all entities authorized to issue, manage, revoke, and renew certificates. This can apply to the actual CA certificate as well as the organization. In this CP, the organization which holds a CA is refered to as a TSP. The term CA is used to refer to the infrastructure and keymaterial from which a TSP issues and signs certificates. This CP covers all certificates issued and signed by the following CAs hereinafter referred to as TSPs
Common Name | Not Before | Not After | Serial Number | SHA256 Fingerprint |
---|---|---|---|---|
KPN BV TRIAL PKIoverheid Organisatie Persoon CA - G3 | 27 Feb 2020 | 13 Nov 2028 | 6ffacdc0a5703f42a69225e6435c321a5e067c8c | B9E46607 FD6D60B4 1515C854 7371DABC 657668AD 49BCB552 33E40295 15902D9C |
KPN BV TRIAL PKIoverheid Organisatie Server CA - G3 | 27 Feb 2020 | 13 Nov 2028 | 0e56cfba4c0be27956a9cb9ff96d9c875dbee219 | 0AA8CF08 1D7E3268 9E5AB720 F964C41E 9D221ECC 56461484 6918719C EE3A1494 |
KPN BV TRIAL PKIoverheid Organisatie Services CA - G3 | 27 Feb 2020 | 13 Nov 2028 | 5be7d94d47baebe34148dba0385ab3008555b703 | 8B7E3753 90BD4177 B5577205 24E759F7 71559280 8E325B93 6E03CBCA F6785E26 |
QuoVadis TRIAL PKIoverheid Organisatie Persoon CA - G3 | 27 Feb 2020 | 13 Nov 2028 | 622df11ef3c0d88da5728919a613a1ae139fdc98 | 466FB468 F253F648 ADDAFC02 44BEF845 98FFD6EF 568DC62A A33A3F2D 05A6E2ED |
QuoVadis TRIAL PKIoverheid Organisatie Server CA - G3 | 27 Feb 2020 | 13 Nov 2028 | 42756ba0989b586bdb4237d6a02c66e950c416d4 | F0014784 7367A2CA 056F46C2 608DC197 3F2D4824 D83E66F2 9421A52D 81D79465 |
QuoVadis TRIAL PKIoverheid Organisatie Services CA - G3 | 27 Feb 2020 | 13 Nov 2028 | 26a7225f0aaaa0364e0dc7aabdf80f6a411c011e | 9E409C65 474692A4 DD858114 90933AD2 473966B0 96BEF980 4C96B369 34DEA35C |
1.3.2 Registration authorities
Registration Authorities (RAs) are entities that approve and authenticate requests to obtain, renew,or revoke certificates. RA tasks within PKIoverheid are as follows:
- Identify and authenticate subscribers
- Verify that subscribers are authorizated to request or revoke certificates
- Approving individuals, entities,and/or devices that are to be included in a certificate.
After performing the tasks listed above they will authorize and/or request a TSP to issue, renew, or revoke a certificate.
1.3.3 Subscribers
Subscribers within the PKIoverheid TRIAL hierarchy are defined as organizations or individuals (working for organizations) to who a TSP has issued (a) PKIoverheid TRIAL certificate(s). Before issuance of the first certificate the subscriber has to agree to a Subscriber agreement supplied by the TSP. Requirements for this subscriber agreement are listed in relevant sections of this CP.
1.3.4 Relying parties
Relying parties are all parties which that can encounter and or process a PKIoverheid TRIAL certificate. Relying parties should be aware of the purpose of the PKIoverheid TRIAL certificates (see also section 1.1 Overview) and as such MUST NOT make decisions based on the (perceived) trustworthyness of a PKIoverheid TRIAL certificate.
1.3.5 Other participants
No stipulation.
1.4 Certificate usage
1.4.1 Appropriate certificate uses
1.4.1-tpkio3
Description
Certificates issued within the PKIoverheid TRIAL hierarchy SHALL only be used for testing purposes.
Testing purposes for Server/SSL certificates are as follows (please not that this is not an exhaustive list):
- Usage of subscriber SSL certificates by the TSP for own (internal) testing
- Usage of subscriber SSL certificates to test an non-production application or website to test system behaviour when encountering PKIoverheid certificates
- Testing the process of generating keypairs and CSRs and implementing the final PKIoverheid TRIAL certificate
In case of doubt if an use case is deemed to be for “testing purposes” a TSP SHALL contact the PA to seek permission for issuance of PKIoverheid TRIAL certificates.
If the certificates are to be used by a TSP for internal testing the requirements in sections 2, 3.2.2, 3.2.3, 3.2.4, and 4.1 will not be applicable to the TSP.
TSPs are allowed to issue PKIoverheid TRIAL certificates to third parties (e.g. external subscribers) for testing. In that case The TPS MUST adhere to all requirements listed in this CP.
Comment: -
1.4.1-tpkio33
Description
Certificates issued within the PKIoverheid TRIAL hierarchy SHALL only be used for testing purposes.
Testing purposes for Personal certificates and Services certificates are as follows (please not that this is also not an exhaustive list):
- Usage of subscriber Personal/Services certificates by the TSP for own (internal) testing
- Usage of subscriber Personal/Services certificates to test a non-production application to test the process of implementing PKIoverheid personal/services certificates in workflows etc.
Comment: In case of doubt if an use case is deemed to be for “testing purposes” a TSP SHALL contact the PA to seek permission for issuance of PKIoverheid TRIAL certificates.
If the certificates are to be used by a TSP for internal testing the requirements in sections 2, 3.2.2, 3.2.3, 3.2.4, and 4.1 will not be applicable to the TSP.
TSPs are allowed to issue PKIoverheid TRIAL certificates to third parties (e.g. external subscribers) for testing. In that case The TPS MUST adhere to all requirements listed in this CP.
1.4.2 Prohibited certificate uses
No stipulation.
1.5 Policy administration
1.5.1 Organization administering the document
The Ministry of Interior and Kingdom Relations (BZK) is responsible for this CPS. BZK has delegated this responsibility to Logius, including approval of changes of this document.
1.5.2 Contact person
Policy Authority PKIoverheid
Wilhelmina van Pruisenweg 52
Postbus 96810
2509 JE DEN HAAG
http://www.logius.nl/pkioverheid
servicecentrum@logius.nl
1.5.3 Person determining CPS suitability for the policy
The Policy Authority PKIoverheid (PA) determines the suitability of CPSs published as a result of this CP.
1.5.4 CP approval procedures
The PA PKIoverheid reserves the right to amend this CP. Changes are applicable from the date that is listed in section 1.2.2 Relevant dates. The management of Logius is responsible for following the procedures as listed in section 9.12 Amendments and final approval of this CP.
1.6 Definitions and acronyms
See part 4 of the PoR PKIoverheid which can be found on the Logius website
1.6.1 Conventions
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,“SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in these Requirements MUST be interpreted in accordance with RFC 2119.
2. PUBLICATION AND REPOSITORY RESPONSIBILITIES
2.1 Repositories
2.1-tpkio2
Description
A TSP MUST establish and maintain a repository where information as listed in section 2.2 Publication of certification information is available. The repository could either be maintained by the TSP itself or maintenance can be delegated to a third party.
Comment: -
2.2 Publication of certification information
2.2-tpkio12
Description
A TSP MUST make the issuing CA or issuing CAs which she uses for issuing end-user PKIoverheid TRIAL certificates available to download for subscribers and relying parties.
Comment: -
2.2-tpkio13
Description
A TSP MUST make available the location of the CRLs and the OCSP responders in the repository on a publicy available web page.
Comment: -
2.3 Time or frequency of publication
No stipulation.
2.4 Access controls on repositories
2.4-tpkio14
Description
The repository MUST be publicly available.
Comment: -
3. IDENTIFICATION AND AUTHENTICATION
3.1 Naming
3.1.1 Types of names
To indicate that this hierarchy is intended for test purposed only, the words TRIAL and/or TEST are used in several subject and/or issuer attributes. See 7. CERTIFICATE, CRL, AND OCSP PROFILES of this CP for more information.
3.1.2 Need for names to be meaningful
No stipulation.
3.1.3 Anonymity or pseudonymity of subscribers
No stipulation.
3.1.4 Rules for interpreting various name forms
No stipulation.
3.1.5 Uniqueness of names
No stipulation.
3.1.6 Recognition, authentication, and role of trademarks
No stipulation.
3.2 Initial identity validation
3.2.1 Method to prove possession of private key
3.2.1-tpkio6
Description
The TSP is responsible for ensuring that the subscriber supplies the certificate signing request (CSR) securely. The secure delivery must take place in the following manner:
- the entry of the CSR on the TSP’s application developed especially for that purpose, using an SSL connection with a PKIoverheid SSL certificate or similar or;
- the entry of the CSR on the HTTPS website of the TSP that uses a PKIoverheid SSL certificate or similar or;
- sending the CSR by e-mail, along with a qualified electronic signature of the certificate manager that uses a PKIoverheid qualified certificate or similar or;
- entering or sending a CSR in a way that is at least equivalent to the aforementioned ways.
Comment: -
3.2.2 Authentication of organization identity
3.2.2-tpkio5
Description
At initial registration TSP MUST verify that the subscriber is an existing organization.
Comment: -
3.2.2-tpkio15
Description
The TSP MUST verify that the name of the organization registered by the subscriber that is incorporated in the certificate is correct and complete.
Comment: -
3.2.2-tpkio16
Description
Before a services server certificate is issued, the TSP MUST enter into an agreement with the subscriber and receive a certificate request signed by the certificate manager. The agreement must be signed by the Authorized Representative or Representation of the subscriber.
Comment: -
3.2.2-tpkio17
Description
When entering into an agreement with the subscriber, the TSP SHALL request a copy of the identification document of the legal representative of the subscriber (see also 3.2.2-tpkio16). This is for identification purposes. The identity of the legal representative can only be established using the valid documents referred to in article 1 of the Compulsory Identification Act (Wet op de identificatieplicht). The TSP MUST check the validity and authenticity of these documents.
Comment: -
3.2.3 Authentication of individual identity
3.2.3-tpkio4
Description
When a TSP issues PKIoverheid TRIAL certificates for use in testing within the TSP’s organization there is no need for identity validation.
Comment: -
3.2.3-tpkio7
Description
If an OIN is included in a certificate (in the subject.serialnumber
attribute) a TSP MUST check the autorisation of the applicant to use the OIN in accordance with the requirements laid down in the agreement between the State of the Netherlands and the TSP.
Comment: -
3.2.3-tpkio19
Description
In accordance with Dutch legislation and regulations, the TSP MUST check the identity and, if applicable, specific properties of the certificate manager. Proof of identity has to be verified based on the physical appearance of the person himself, either directly or indirectly, using means by which the same certainty can be obtained as with personal presence. The proof of identity can be supplied on paper or electronically.
Comment: -
3.2.3-tpkio20
Description
The identity of the certificate manager can only be established using the valid documents referred to in article 1 of the Compulsory Identification Act (Wet op de identificatieplicht). The TSP MUST check the validity and authenticity of these documents. If the personal identity of the certificate manager has already been verified for under another (production) CP of PKIoverheid then the demands of this requirement are deemed to have been satisfied.
Comment: -
3.2.4 Non-verified subscriber information
No stipulation.
3.2.5 Validation of authority
3.2.5-tpkio8
Description
When a FQDN is included in the certificate, the TSP MUST check whether the FQDNs supplied by the subscriber (see definition in Part 4), included in a certificate, are:
- Actually in the name of the subscriber OR;
- Authorized by the registered domain owner OR;
- That the subscriber can show that it exercises (technical) control over the FQDN in question.
The verified data MAY be reused in a subsequent application, provided that it is not older than 39 months. If the data is older than 39 months, the above check must be carried out againThis must be done for every FQDN that is included in a certificate.
The TSP MUST limit itself to:
- the methods as prescribed in the applicable version of the Baseline Requirements of the CABForum (chapter 3.2.2.4) OR;
- an alternative method approved in advance by the PA.
Comment: -
3.2.5-tpkio18
Description
The TSP MUST check that the evidence supplied by the subscriber that certificate holder is autorized to receive certificates is genuine and that the certificate manager has been authorized by the subscriber to execute the necessary actions (in cases in which the certificate manager handles the registration process).
Comment: The Certificate Manager who acts on behalf of the certificate holder does not necessarily have to be a system administrator or an HR-consultant. It is up to the subscriber to appoint a suitable person for the role (if needed).
3.2.6 Criteria for interoperation
No stipulation.
3.3 Identification and authentication for re-key requests
3.3.1 Identification and authentication for routine re-key
No stipulation.
3.3.2 Identification and authentication for re-key after revocation
No stipulation.
3.4 Identification and authentication for revocation request
No stipulation.
4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS
4.1 Certificate Application
4.1-tpkio9
Description
The TSP MUST include in the terms of use that the subscriber will only use a test certificate for testing purposes.
Comment: -
4.1.1 Who can submit a certificate application
No stipulation.
4.1.2 Enrollment process and responsibilities
No stipulation.
4.2 Certificate application processing
4.2.1 Performing identification and authentication functions
No stipulation.
4.2.2 Approval or rejection of certificate applications
No stipulation.
4.2.3 Time to process certificate applications
No stipulation.
4.3 Certificate issuance
4.3.1 CA actions during certificate issuance
4.3.1-tpkio10
Description
Only TSPs who have been admitted to the production hierarchy of PKIoverheid MAY issue PKIoverheid TRIAL certificates to third parties.
Comment: Aspiring TSPs SHALL NOT issue PKIoverheid TRIAL certificates to third parties. An aspiring TSP MUST ask the Policy Authority PKIoverheid for written permission to issue PKIoverheid TRIAL certificates for internal testing. For the purposes of this CP “internal testing” is defined as being in use within the same legal entity as the TSP.
4.3.2 Notification to subscriber by the CA of issuance of Certificate
No stipulation.
4.4 Certificate acceptance
4.4.1 Conduct constituting certificate acceptance
No stipulation.
4.4.2 Publication of the certificate by the CA
No stipulation.
4.4.3 Notification of certificate issuance by the CA to other Entities
No stipulation.
4.5 Key pair and certificate usage
4.5.1 Subscriber private key and certificate usage
No stipulation.
4.5.2 Relying party public key and certificate usage
No stipulation.
4.6 Certificate renewal
4.6.1 Circumstance for certificate renewal
No stipulation.
4.6.2 Who may request renewal
No stipulation.
4.6.3 Processing certificate renewal requests
No stipulation.
4.6.4 Notification of new certificate issuance to subscriber
No stipulation.
4.6.5 Conduct constituting acceptance of a renewal certificate
No stipulation.
4.6.6 Publication of the renewal certificate by the CA
No stipulation.
4.6.7 Notification of certificate issuance by the CA to other entities
No stipulation.
4.7 Certificate re-key
4.7.1 Circumstance for certificate re-key
4.7.1-tpkio21
Description
A TSP SHALL NOT issue certificates for which the key pair has been used for a previous expired or revoked certificate.
Comment: -
4.7.1-tpkio22
Description
A TSP MAY reuse a keypair once when issuing a certificate when the previous certificate has expired. A TSP SHALL NOT issue a certificate using a keypair which has been previously in a certificate issued by the TSP that has been revoked.
Comment: -
4.7.2 Who may request certification of a new public key
No stipulation.
4.7.3 Processing certificate re-keying requests
No stipulation.
4.7.4 Notification of new certificate issuance to subscriber
No stipulation.
4.7.5 Conduct constituting acceptance of a re-keyed certificate
No stipulation.
4.7.6 Publication of the re-keyed certificate by the CA
No stipulation.
4.7.7 Notification of certificate issuance by the CA to other entities
No stipulation.
4.8 Certificate modification
4.8.1 Circumstance for certificate modification
No stipulation.
4.8.2 Who may request certificate modification
No stipulation.
4.8.3 Processing certificate modification requests
No stipulation.
4.8.4 Notification of new certificate issuance to subscriber
No stipulation.
4.8.5 Conduct constituting acceptance of modified certificate
No stipulation.
4.8.6 Publication of the modified certificate by the CA
No stipulation.
4.8.7 Notification of certificate issuance by the CA to other entities
No stipulation.
4.9 Certificate revocation and suspension
4.9.1 Circumstances for revocation
No stipulation.
4.9.2 Who can request revocation
No stipulation.
4.9.3 Procedure for revocation request
No stipulation.
4.9.4 Revocation request grace period
No stipulation.
4.9.5 Time within which CA must process the revocation request
No stipulation.
4.9.6 Revocation checking requirement for relying parties
No stipulation.
4.9.7 CRL issuance frequency (if applicable)
4.9.7-tpkio1
Description
A TSP MUST use CRLs to provide certificate status information to relying parties. A TSP MUST use 1 CRL for all types of reasons for revocation per issuing CA.
Comment: -
4.9.8 Maximum latency for CRLs (if applicable)
No stipulation.
4.9.9 On-line revocation/status checking availability
4.9.9-tpkio3
Description
A TSP MUST use OCSP to provide certificate status information.
OCSP responses MUST conform to RFC6960 and MUST either:
- Be signed by the CA that issued the certificates whose revocation status is being checked, OR
- Be signed by an OCSP Responder whose certificate is signed by the CA that issued the certificate whose revocation status is being checked.
If a TSP implements the latter option then the OCSP signing Certificate MUST contain an extension of type id-pkix-ocsp-nocheck
, as defined by RFC6960.
Comment: -
4.9.9-tpkio24
Description
A TSP MAY use OCSP to provide certificate status information.
Comment: If OCSP is used, OCSP responses MUST conform to RFC6960 and MUST either:
- Be signed by the CA that issued the certificates whose revocation status is being checked, OR
- Be signed by an OCSP Responder whose certificate is signed by the CA that issued the certificate whose revocation status is being checked.
If a TSP implements the latter option then the OCSP signing Certificate MUST contain an extension of type id-pkix-ocsp-nocheck
, as defined by RFC6960.
4.9.9-tpkio26
Description
A TSP MUST NOT use or make use of precomputed OCSP responses.
Comment: -
4.9.10 On-line revocation checking requirements
4.9.10-tpkio25
Description
If a TSP support OCSP, it SHALL support an OCSP capability using the GET method for certificates issued in accordance with this CP.
Comment: -
4.9.11 Other forms of revocation advertisements available
No stipulation.
4.9.12 Special requirements related to key compromise
No stipulation.
4.9.13 Circumstances for suspension
4.9.13-tpkio27
Description
A TSP MUST NOT support certificate suspension.
Comment: -
4.9.14 Who can request suspension
No stipulation.
4.9.15 Procedure for suspension request
No stipulation.
4.9.16 Limits on suspension period
No stipulation.
4.10 Certificate status services
4.10.1 Operational characteristics
4.10.1-tpkio28
Description
A TSP MUST keep revoked certificates on a CRL for at least 6 months after the date listed in the notAfter field of a certificate.
Comment: -
4.10.2 Service availability
No stipulation.
4.11 End of subscription
No stipulation.
4.12 Key escrow and recovery
4.12.1 Key escrow and recovery policy and practices
No stipulation.
4.12.2 Session key encapsulation and recovery policy and practices
No stipulation.
5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS
5.1 Physical controls
5.1-tpkio29
Description
A TSP SHALL take all appropriate measures concerning Physical Controls based on a risk analysis in which applicable risks have been taken into account.
Comment: -
5.1.1 Site location and construction
No stipulation.
5.1.2 Physical access
No stipulation.
5.1.3 Power and air conditioning
No stipulation.
5.1.4 Water exposures
No stipulation.
5.1.5 Fire prevention and protection
No stipulation.
5.1.6 Media storage
No stipulation.
5.1.7 Waste disposal
No stipulation.
5.1.8 Off-site backup
No stipulation.
5.2 Procedural controls
5.2-tpkio30
Description
A TSP SHALL take all appropriate measures concerning Procedural Controls based on a risk analysis in which applicable risks have been taken into account.
Comment: -
5.2.1 Trusted roles
No stipulation.
5.2.2 Number of persons required per task
No stipulation.
5.2.3 Identification and authentication for each role
No stipulation.
5.2.4 Roles requiring separation of duties PKIoverheid
No stipulation.
5.3 Personnel controls
5.3-tpkio31
Description
A TSP SHALL take all appropriate measures concerning Personnel Controls based on a risk analysis in which applicable risks have been taken into account.
Comment: -
5.3.1 Qualifications, experience, and clearance requirements
No stipulation.
5.3.2 Background check procedures
No stipulation.
5.3.3 Training requirements
No stipulation.
5.3.4 Retraining frequency and requirements
No stipulation.
5.3.5 Job rotation frequency and sequence
No stipulation.
5.3.6 Sanctions for unauthorized actions
No stipulation.
5.3.7 Independent contractor requirements
No stipulation.
5.3.8 Documentation supplied to personnel
No stipulation.
5.4 Audit logging procedures
5.4.1 Types of events recorded
No stipulation.
5.4.2 Frequency of processing log
No stipulation.
5.4.3 Retention period for audit log
No stipulation.
5.4.4 Protection of audit log
No stipulation.
5.4.5 Audit log backup procedures
No stipulation.
5.4.6 Audit collection system (internal vs. external)
No stipulation.
5.4.7 Notification to event-causing subject
No stipulation.
5.4.8 Vulnerability assessments
No stipulation.
5.5 Records archival
5.5.1 Types of records archived
No stipulation.
5.5.2 Retention period for archive
No stipulation.
5.5.3 Protection of archive
No stipulation.
5.5.4 Archive backup procedures
No stipulation.
5.5.5 Requirements for time-stamping of records
No stipulation.
5.5.6 Archive collection system (internal or external)
No stipulation.
5.5.7 Procedures to obtain and verify archive information
No stipulation.
5.6 Key changeover
No stipulation.
5.7 Compromise and disaster recovery
5.7.1 Incident and compromise handling procedures
No stipulation.
5.7.2 Computing resources, software, and/or data are corrupted
No stipulation.
5.7.3 Entity private key compromise procedures
No stipulation.
5.7.4 Business continuity capabilities after a disaster
No stipulation.
5.8 CA or RA termination
No stipulation.
6. TECHNICAL SECURITY CONTROLS
6.1 Key pair generation and installation
6.1.1 Key pair generation
6.1.1-tpkio32
Description
The TSP SHALL reject a certificate request if the requested Public Key does not meet the requirements as listed in sections 6.1.5 Key sizes and 6.1.6 Public key parameters generation and quality checking or if it has a known weak Private Key.
Comment: -
6.1.1-tpkio35
Description
A TSP SHALL NOT generate key pairs for server certificates.
Comment: -
6.1.2 Private key delivery to subscriber
No stipulation.
6.1.3 Public key delivery to certificate issuer
No stipulation.
6.1.4 CA public key delivery to relying parties
See 2.2-tpkio12.
6.1.5 Key sizes
6.1.5-tpkio34
Description
Certificates issued to end-users MUST meet the following requirements for algorithm type and key size:
Type | Permitted Values |
---|---|
Digest algorithm | SHA-256 or SHA-384 |
Minimum RSA modulus size (bits) | 2048 |
ECC curve | P-256 or P-384 |
Comment: -
6.1.6 Public key parameters generation and quality checking
No stipulation.
6.1.7 Key usage purposes (as per X.509 v3 key usage field)
No stipulation.
6.2 Private Key Protection and Cryptographic Module Engineering Controls
6.2-tpkio36
Description
A TSP SHALL take all appropriate measures concerning protection of the signing key of a PKIoverheid TRIAL TSP CA (issuing CA) based on a risk analysis in which applicable risks have been taken into account.
Comment: -
6.2.1 Cryptographic module standards and controls
No stipulation.
6.2.2 Private key (n out of m) multi-person control
No stipulation.
6.2.3 Private key escrow
No stipulation.
6.2.4 Private key backup
No stipulation.
6.2.5 Private key archival
No stipulation.
6.2.6 Private key transfer into or from a cryptographic module
No stipulation.
6.2.7 Private key storage on cryptographic module
No stipulation.
6.2.8 Method of activating private key
No stipulation.
6.2.9 Method of deactivating private key
No stipulation.
6.2.10 Method of destroying private key
No stipulation.
6.2.11 Cryptographic Module Rating
No stipulation.
6.3 Other aspects of key pair management
6.3.1 Public key archival
No stipulation.
6.3.2 Certificate operational periods and key pair usage periods
6.3.2-tpkio37
Description
Private keys that are used by a certificate holder and issued under the requirements of this CP MUST NOT be used for more than 397 days. The certificates, which are issued under the requirements of this CP, MUST NOT be valid for more than 397 days as well.
Comment: -
6.4 Activation data
6.4.1 Activation data generation and installation
No stipulation.
6.4.2 Activation data protection
No stipulation.
6.4.3 Other aspects of activation data
No stipulation.
6.5 Computer security controls
6.5-tpkio41
Description
A TSP SHALL take all appropriate measures concerning Computer Security Controls based on a risk analysis in which applicable risks have been taken into account.
Comment: -
6.5.1 Specific computer security technical requirements
No stipulation.
6.5.2 Computer security rating
No stipulation.
6.6 Life cycle technical controls
6.6.1 System development controls
No stipulation.
6.6.2 Security management controls
No stipulation.
6.6.3 Life cycle security controls
No stipulation.
6.7 Network security controls
6.7-tpkio42
Description
A TSP SHALL take all appropriate measures concerning Network Security Controls based on a risk analysis in which applicable risks have been taken into account.
Comment: -
6.8 Time-stamping
No stipulation.
7. CERTIFICATE, CRL, AND OCSP PROFILES
7.1 Certificate profile
7.1-tpkio44
Description
The TSP SHALL meet the technical requirements set forth in Section 2.2 Publication of certification information, Section 6.1.5 Key sizes and Section 6.1.6 Public key parameters generation and quality checking.
Comment: -
7.1-tpkio45
Description
A Serial Number MUST be included in a certificate. The serial number of a PKIoverheid certificate issued by A TSP MUST comply with the following requirements:
- The value of the serial number MUST NOT be 0 (zero)
- The value of the serial number MUST NOT be negative
- The value of the serial number MUST be unique for each certificate issued by a given TSP CA
- The serial number SHALL have a minimum lenght of 96 bits (12 octets)
- The serial number SHALL contain at least 64 bits of random data
- The random data SHOULD be generated by a CSPRNG (Cryptographically Secure Pseudorandom Number Generator).
- The serial number MUST NOT be longer than 160 bits (20 octets).
Comment: -
7.1-tpkio47
Description
A TSP MUST only include certificate fields and extensions in a PKIoverheid TRIAL end-user certificate that explicitly listed in section 7.1 Certificate profile.
Comment: -
7.1-tpkio67
Description
The Signature field MUST be included and it’s content MUST be set to match the requirements as described in section 6.1.5-tpkio34.
Comment: -
7.1-tpkio68
Description
A TSP MUST include the Validity field as indicated in RFC5280 section 4.1.2.5. The values used in this field MUST be set as not to exceed the maximum validity period as defined in section 6.3.2 Certificate operational periods and key pair usage periods.
Comment: -
7.1-tpkio81
Description
The subjectPublicKeyInfo field MUST be included in het certificate. Requirements on the key size and alghoritms allowed are specified in sections 6.1.5 Key sizes and 7.1.3 Algorithm object identifiers.
Comment: -
7.1.1 Version number(s)
7.1.1-tpkio43
Description
Certificates issued by TSPs operating within the PKIoverheid framework MUST be of type X.509 v3.
Comment: -
7.1.2 Certificate extensions
7.1.2-tpkio46
Description
The Validity
field MUST be set in accordance with both RFC5280 and the requirements puth forth in section 6.3.2 of this CP regarding certificate lifespan.
Comment: -
7.1.2-tpkio48
Description
A TSP MUST include the KeyUsage
field in a PKIoverheid TRIAL certificate under this CP. This field must be marked as Critical and MUST only contains the digitalSignature
and keyEncipherment
bits.
Comment: -
7.1.2-tpkio49
Description
The field SubjectKeyIdentifier
MUST be included in a PKIoverheid TRIAL certificate. The field MUST be set in accordance with RFC5280.
Comment: -
7.1.2-tpkio50
Description
A TSP MUST include the KeyUsage
field in a PKIoverheid TRIAL certificate under this CP. This field must be marked as Critical and MUST only contains the digitalSignature
bit.
Comment: -
7.1.2-tpkio51
Description
A TSP MUST include the KeyUsage
field in a PKIoverheid TRIAL certificate under this CP. This field must be marked as Critical and MUST only contain the keyEncipherment
and dataEncipherment
bits.
Comment: -
7.1.2-tpkio52
Description
A TSP MUST include the KeyUsage
field in a PKIoverheid TRIAL certificate under this CP. This field must be marked as Critical and MUST only contain the nonRepudiation
bit.
Comment: -
7.1.2-tpkio53
Description
A TSP MAY include the BasicConstraints
extension. If included, the cA
boolean MUST be an empty value. The pathLenConstraint
MUST NOT be used.
Comment: -
7.1.2-tpkio54
Description
A TSP MUST include the CRLDistributionPoints
. The extension MUST NOT be marked critical, and it MUST contain the HTTP URL or LDAP location of the CA’s CRL service. The attribute Reason
MUST NOT be used.
Comment: -
7.1.2-tpkio55
Description
A TSP MUST include the extension ExtendedKeyUsage
. This extension MUST NOT be marked as critical and MUST include the KeyPurposeIDs
id-kp-serverAuth
(RFC5280) and ad-kp-clientAuth
(RFC5280).
Comment: -
7.1.2-tpkio56
Description
A TSP MUST include the extension ExtendedKeyUsage
. This extension MUST NOT be marked as critical and MUST include the KeyPurposeIDs
id-kp-clientAuth
(RFC5280), id-kp-emailProtection
(RFC5280) and document Signing
(OID 1.3.6.1.4.1.311.10.3.12
).
Comment: -
7.1.2-tpkio57
Description
A TSP MUST include the extension ExtendedKeyUsage
. This extension MUST NOT be marked as critical and MUST include the KeyPurposeIDs
id-kp-emailProtection
(RFC5280) and document Signing
(OID 1.3.6.1.4.1.311.10.3.12
).
Comment: -
7.1.2-tpkio58
Description
A TSP MUST include the extension ExtendedKeyUsage
. This extension MUST NOT be marked as critical and MUST include the KeyPurposeIDs
id-kp-emailProtection
(RFC5280) and Encryption File System
(OID 1.3.6.1.4.1.311.10.3.4
).
Comment: -
7.1.2-tpkio59
Description
A TSP MAY include the FreshestCRL
extension. If included, it MUST NOT be marked critical. In order to fulfill the requirements of PKIoverheid a TSP MUST also publish full CRLs.
Comment: -
7.1.2-tpkio60
Description
A TSP MAY include the authorityInformationAccess
extension to be used to reference other additional information about the TSP. It MUST NOT be marked as critical. If the TSP supports OCSP, this extension MUST include the URI of an OCSP responder.
Comment: -
7.1.2-tpkio61
Description
A TSP MUST include the authorityInformationAccess
extension. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1
). It MUST also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2
).
Comment: -
7.1.2-tpkio64
Description
A TSP MAY include the subjectDirectoryAttributes
field. If included, it MUST NOT be marked at critical. The TSP SHALL NOT include personal information that can hurt the privacy of the subject
Comment: -
7.1.2-tpkio65
Description
A TSP MAY include the BiometricInfo
extension. If included, it MUST NOT be marked as critical, MUST contain a hash of a biometric template and MAY contain an URI to refer to a file containing the biometric template itself.
Comment: -
7.1.2-tpkio66
Description
A TSP MUST include the qcStatement-2
extension as defined in RFC3739 section 3.6.2.1. The extension MUST NOT be marked as critical and MUST include the semanticsidentifier
id-etsi-qcs-SemanticsId-Legal
as defined in ETSI TS 119 412-1 section 5.1.3. Contrary to section 5.1.3, a TSP SHALL only use the prefix NTR. Any other prefix, if offered by ETSI TS 119 412-1 MUST NOT be used.
Comment: -
7.1.2-tpkio82
Description
The field AuthorityKeyIdentifier
MUST be included in a PKIoverheid TRIAL certificate. The field MUST be set in accordance with RFC5280.
Comment: -
7.1.2-tpkio115
Description
A TSP MAY include the Subject.GivenName
field. When included this field MUST contain a correct reproduction of the element of the name laid down in the CN, based on the Compulsory Identification Act document.
Comment: This field MUST show the subject’s given name correctly, as shown on the Compulsory Identification Act document.
7.1.2-tpkio116
Description
A TSP MAY include the Subject.SurName
field. When included this field MUST contain a correct reproduction of the element of the name laid down in the CN, based on the Compulsory Identification Act document.
This field MUST show the subject’s surname including surname prefixes correctly, as shown on the Compulsory Identification Act document.
7.1.2-tpkio124
Description
Certificates for the electronic signature MUST indicate that they are issued as qualified certificates complying with annex I of EU regulation 920/2014. This compliance is indicated by including the id-etsi-qcs-QcCompliance
statement in this extension.
Certificates for the electronic signature MUST indicate that they are issued as type of certificate complying with annex I of EU regulation 920/2014. This compliance is indicated by including the id-etsi-qct-esign
statement in this extension.
Certificates for the electronic signature MUST indicate that the private key that is part of the public key in the certificate is saved on a qualified signature creation device (QSCD) complying with annex II of EU regulation 920/2014. This compliance is indicated by including the id-etsi-qcs-QcSSCD
statement in this extension.
Certificates for the electronic signature MUST contain a reference to the location of the PKI Disclosure Statement (PDS). This URL must present in the id-etsi-qcs-QcPDS
statement in this extension.
Comment: The aforementioned QcStatement identifiers relate to the following OIDs:
id-etsi-qcs-QcCompliance { id-etsi-qcs 1 }
(or0.4.0.1862.1.1
)id-etsi-qct-esign { id-etsi-qcs-QcType 1 }
(or0.4.0.1862.1.6.1
)id-etsi-qcs-QcSSCD { id-etsi-qcs 4 }
(or0.4.0.1862.1.4
)id-etsi-qcs-QcPDS { id-etsi-qcs 5 }
(or0.4.0.1862.1.5
)
7.1.3 Algorithm object identifiers
7.1.3-tpkio62
Description
TSPs MUST only use the key sizes and signature algorithms defined in requirements 6.1.5-tpkio34.
Comment: -
7.1.4 Name forms
7.1.4-tpkio63
Description
The Issuer field MUST be included. It MUST contain a Distinguished Name which MUST match the Subject DN of the Issuing CA to support name chaining as specified in RFC 5280, Section 4.1.2.4.
Comment: -
7.1.4-tpkio68
Description
The Subject Field MUST be included. Subject attributes MUST NOT contain only metadata such as ‘.’, ‘-’, and ’’ (i.e. space) characters,and/or any other indication that the value is absent, incomplete, or not applicable.
Comment: -
7.1.4-tpkio69
Description
The subject.commonName
attribute MUST be included. It MUST contain the following information:
[aristocratic designation] [Full first forename OR nickname] [initials other forenames OR full other forenames] [surname prefixes + surname partner ‘-’] [aristocratic title] [surname prefixes + surname at birth]
whereby:
text in bold = compulsory part
Italic = compulsory part, style in accordance with Compulsory Identification Act document
normal = optional part;
It also MUST include the word “TRIAL” after the initial subject information to indicate that it is a TRIAL certificate and is to be used for testing purposes only.
Comment: -
7.1.4-tpkio70
Description
The subject.commonName
attribute MUST be included. It MUST include a name that identifies the service (e.g. the function of an organizational entity or the name by which the device or system is known). It also MUST include the word “TRIAL” after the initial subject information to indicate that it is a TRIAL certificate and is to be used for testing purposes only.
Comment: -
7.1.4-tpkio71
Description
The subject.commonName
attribute SHOULD NOT be included. If included, it SHOULD contain either a FQDN (Fully Qualified Domain Name) or an IP address. An FQDN must also appear in the SubjectAltName.DNsName
field. An IP address MUST also appear in the SubjectAltName.iPAdress
field.
If it is not possible or desirable to include an FQDN in the subject.commonName
field, but the field is necessary for the server to function properly, a TSP MAY choose to include the function of an organizational entity or the name with which the service, device or system is indicated.
A server certificate MAY contain multiple FQDNs from different domains on condition that these domains are registered in the name of the same subscriber or are under authorization by the same subscriber. This means that a TSP cannot combine FQDNs in one certificate that are both from different domains and are registered in the name of different owners.The following is NOT allowed to be included in the subject.commonName
field, SubjectAltName.iPAdress
or the SubjectAltName.DNname
field
- wildcard FQDNs;
- local domain names;
- private IP addresses;
- internationalized domain names (IDNs);
- null characters \0-generic TopLevel Domain (gTLD);
- Country code TopLevelDomein (ccTLD).
Comment: -
7.1.4-tpkio72
Description
The following values MUST NOT be included in the subject.commonName
field, SubjectAltName.iPadres
or the SubjectAltName.DNname
field:
- wildcard FQDNs
- local domain names
- private IP addresses
- internationalized domain names (IDNs)
- null characters \0
- generic TopLevel Domain (gTLD)
- Country code TopLevelDomein (ccTLD)
Comment: -
7.1.4-tpkio73
Description
The subject.countryName
attribute MUST be included in a certificate. It MUST contain a two-letter country code in accordance with ISO 3166-1. If an official alpha-2 code is missing, the TSP MAY use the user-assigned code XX.
Comment: -
7.1.4-tpkio74
Description
The subject.organizationName
attribute MUST be included in a certificate. It MUST contain the full organization name of the subscriber as supplied by the subscriber during registration. It also MUST include the word “TRIAL” after the initial subject information to indicate that it is a TRIAL certificate and is to be used for testing purposes only.
Comment: -
7.1.4-tpkio75
Description
The subject.organizationalUnitName
MUST be included in a certificate. It MUST contain the text “only to be used for testing purposes”. Additional instances of this attribute MAY be included in a certificate if needed. If so included, it MUST NOT contain a function indication or similar and MUST contain a valid name of an organiational entity of the subscriber in accordance with an accepted document or registry.
Comment: -
7.1.4-tpkio76
Description
The subject.stateOrProvinceName
attribute MAY be included in a certificate. If included, it MUST include the province or state in which the subscriber is registered according to the accepted document or registry.
Comment: -
7.1.4-tpkio77
Description
The subject.localityName
attribute MAY be included in a certificate. If included IT MUST include the location of the subscriber, in accordance with the accepted document or registry.
Comment: -
7.1.4-tpkio78
Description
The subject.postalAdress
and subject.postalCode
attributes MUST NOT be included in a certificate.
Comment: -
7.1.4-tpkio79
Description
The subject.serialnumber
MUST be included in a certificate. It MUST contain a number which can be determined by the TSP. The combination of CommonName
, OrganizationName
and Serialnumber
MUST be unique within the context of the TSP. To avoid susceptibilities a serial Number attribute MUST be allocated to every subject.
Comment: -
7.1.4-tpkio80
Description
The subject.serialnumber
MAY be included in a certificate. If included, It MUST contain a number generated by the TSP so that the combination of CommonName
, OrganizationName
and Serialnumber
is unique within the context of the TSP, or MUST contain an OIN/HRN. The TSP SHALL only use 20 position serial numbers for OIN/HRN and only after additional arrangements have been made with Logius.
Comment: -
7.1.4-tpkio83
Description
Certificates SHALL contain the extensions:subjectAltName
extension with at least one instance of the dnsName attribute in its extValue field.
Each dnsName attribute SHALL contain a Fully-Qualified Domain Name (FQDN).
The FQDN SHALL:
- be in the “preferred name syntax”, as specified in RFC5280, and
- be owned or controlled by the Subject and to be associated with the Subject’s server which MAY be owned and operated by the Subject or another entity (e.g., a hosting service), the verification of which is described in Section 3.2.5.
Additionally, the FQDN SHALL NOT:
- contain a wildcard, and/or
- be an Internal Name.
The total number of instances of the dnsName attribute in a single certificate SHALL NOT:
- exceed 10 when these instances consist of just one Base Domain Name and sub-domains thereof, or
- exceed 5 when these instances consist of mixed Base Domain Names.
Comment: Further details and requirements for the Othername
attribute are listed under 7.1.4-tpkio85
7.1.4-tpkio84
Description
The subjectAltName
field MUST be included in a certificate. Each entry MUST be a Othername
attribute.
Comment: Further details and requirements for the Othername
attribute are listed under 7.1.4-tpkio85
7.1.4-tpkio85
Description
If a certifcate contains a subject.Altname.OtherName
field, it MUST include an OID of the TSP assigned by the PA to the TSP, as well as a number that is unique within the namespace of that OID that permanently identifies the subject, in one of the following ways:
- MS UPN: (number)@(OID)
- MS UPN (OID).(number)
- IA5String: (OID)-(number)
- Permanent Identifier:Identifiervalue = numberAssigner = OID
The chosen number MUST be persistant.
Comment: It is recommended that an existing registration number from back office systems is used, in combination with a code for the organization. In combination with the TSP OID, this identifier is internationally unique.
7.1.4-tpkio117
Description
The SubjectAltName.rfc822Name
attribute MAY be included. If included it is to be used for the e-mail address of the certificate holder, for applications that need the e-mail address to function properly.
Comment: -
7.1.4-tpkio118
Description
The SubjectAltName.rfc822Name
attribute MAY be included. If included it is to be used for the e-mail address of the service, for applications that need the e-mail address to function properly.
Comment: -
7.1.4-tpkio119
Description
The SubjectAltName.otherName
attribute MUST be included. It MUST be used containing a unique identification number that identifies the certificate holder. In addition, in the authentication certificate, an othername
MAY be included for use with Single Sign On (SSO).
The field must contain one of the following strings: IA5String, Microsoft UPN, IBM Principal-Name, Kerberos PrincipalName or Permanent-Identifier.
Comment: 1. MS UPN: [number]@[OID] 2. MS UPN: [OID].[number] 3. IA5String: [OID]-[number] 4. Permanent Identifier: Identifiervalue = [number]Assigner = [OID]
7.1.4-tpkio120
Description
The subject.organizationIdentifier
attribute MUST be included. The organizationIdentifier
field contains an identification of the subject.
Comment: The type is string and the syntax of the identification string is specified in paragraph 5.1.4 of ETSI EN 319 412-1 and contains:
- 3 character legal person identity type reference;
- 2 character ISO 3166 [2] country code;
- hyphen-minus “-” (0x2D (ASCII), U+002D (UTF-8)); and
- identifier (according to country and identity type reference).
7.1.4-tpkio121
Description
The subject.serialnumber
attribute MAY be included. If included the TSP is responsible for safeguarding the uniqueness of the subject (service). The subject.serialnumber
MUST be used to identify the subject uniquely. The use of 20 positions is only allowed for OIN and HRN after additional arrangements with Logius.
Comment: The type is Printable String and the number is determined by the TSP and/or the government. The number can differ for each domain and can be used for several applications.
7.1.4-tpkio122
Description
The Subject.SurName
attribute MUST be included when it is included in the Compulsory Identification Act document. A correct reproduction of the element of the name laid down in the CN. Based on the Compulsory Identification Act document. It MUST be in the UTF8String Format.
Comment: This field MUST show the subject’s surname including surname prefixes correctly, as shown on the Compulsory Identification Act document.
7.1.4-tpkio123
Description
The Subject.GivenName
attribute MUST be included when it is included in the Compulsory Identification Act document. A correct reproduction of the element of the name laid down in the CN. Based on the Compulsory Identification Act document. It MUST be in the UTF8String Format.
Comment: This field MUST show the subject’s given name correctly, as shown on the Compulsory Identification Act document.
7.1.5 Name constraints
No stipulation.
7.1.6 Certificate policy object identifier
7.1.6-tpkio11
Description
The Certificatepolicies
extension MUST be included, MUST NOT be marked as critical, and MUST contain the policyIdentifier 2.1.6.528.1.1003.1.2.9.1
({joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) pki-voor-de-overheid(1) cp(2).test(9).authenticiteitpersoon(1)}
)
Comment: -
7.1.6-tpkio86
Description
The Certificatepolicies
extension MUST be included, MUST NOT be marked as critical, and MUST contain the policyIdentifier 2.1.6.528.1.1003.1.2.9.2
({joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) pki-voor-de-overheid(1) cp(2).test(9).onweerlegbaarheid(2)}
)
Comment: -
7.1.6-tpkio87
Description
The Certificatepolicies
extension MUST be included, MUST NOT be marked as critical, and MUST contain the policyIdentifier 2.1.6.528.1.1003.1.2.9.3
({joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) pki-voor-de-overheid(1) cp(2).test(9).vertrouwelijkheid(3)}
)
Comment: -
7.1.6-tpkio88
Description
The Certificatepolicies
extension MUST be included, MUST NOT be marked as critical, and MUST contain the policyIdentifier 2.1.6.528.1.1003.1.2.9.4
({joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) pki-voor-de-overheid(1) cp(2).test(9).authenticiteit-services(4)}
)
Comment: -
7.1.6-tpkio89
Description
The Certificatepolicies
extension MUST be included, MUST NOT be marked as critical, and MUST contain the policyIdentifier 2.1.6.528.1.1003.1.2.9.5
({joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) pki-voor-de-overheid(1) cp(2).test(9).vertrouwelijkheid-services(5)}
)
Comment: -
7.1.6-tpkio90
Description
The Certificatepolicies
extension MUST be included, MUST NOT be marked as critical, and MUST contain the policyIdentifier 2.1.6.528.1.1003.1.2.9.6
({joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) pki-voor-de-overheid(1) cp(2).test(9).server(6)}
)
Comment: -
7.1.6-tpkio93
Description
The Certificatepolicies
extension MUST be included, MUST NOT be marked as critical, and MUST contain the policyIdentifier 2.1.6.528.1.1003.1.2.9.10
({joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) pki-voor-de-overheid(1) cp(2).test(9).onweerlegbaarheid-services(10)}
)
Comment: -
7.1.7 Usage of Policy Constraints extension
No stipulation.
7.1.8 Policy qualifiers syntax and semantics
7.1.8-tpkio94
Description
A user notice qualifier MUST be included in the Certificatepolicies
extension and MUST contain an explicitText
field. The explicitText field MUST mention the testing nature of the PKIoverheid TRIAL certificate and MAY include further disclaimers by the TSP as indicated in section 1.3.4 Relying parties.
Comment: -
7.1.9 Processing semantics for the critical Certificate Policies extension
No stipulation.
7.2 CRL profile
7.2-tpkio96
Description
Requirements 7.1-tpkio67 and 7.1.4-tpkio63 MUST be adhered to by the TSP for the CRL profile.
Comment: -
7.2-tpkio98
Description
The ThisUpdate
and NextUpdate
fields MUST be included in a CRL. If this CP imposed requirements on TSPs for the maximum validity of an CRL in section 4.10 Certificate status services a TSP MUST set the values of these fields accordingly.
Comment: -
7.2-tpkio99
Description
The revokedCertficates
field MUST be included in a CRL. It MUST include the date and time of revocation and serialNumber of the revoked certificates. If there are no revoked certificates, this field MUST NOT be present.
Comment: -
7.2.1 Version number(s)
No stipulation.
7.2.1-tpkio95
Description
CRLs issued by TSPs MUST be version 2.
Comment: -
7.2.2 CRL and CRL entry extensions
No stipulation.
7.2.2-tpkio100
Description
The AuthorityKeyIdentifier
field MAY be included. If included, it MUST NOT be marked as critical and MUST include the SHA-1 hash from authorityKey
(public key of the TSP/CA).
Comment: -
7.2.2-tpkio102
Description
The IssuerAltName
field SHOULD NOT be included in a CRL. If included, it MUST NOT be set as critical and MUST include a DNS name, IP address or URI. A RFC822 name MUST NOT be used.
Comment: -
7.2.2-tpkio103
Description
The CRLNumber
extension MUST be included in a CRL. It MUST NOT be marked critical and it MUST contain an incremental number that provides support when determining the order of CRLs.
Comment: -
7.2.2-tpkio104
Description
The DeltaCRLIndicator
extension MAY be included in a CRL to mark it als a Delta CRL. If included, it MUST be marked as critical and contain the number of the baseCRL it updates.
Comment: -
7.2.2-tpkio105
Description
The issuingDistributionPoint
extension MAY be included in a CRL. If included, it MUST be marked as critical and MUST conform to the specifications and requirements as defined by RFC5280 section 5.2.5
Comment: -
7.2.2-tpkio106
Description
The FreshestCRL
extension MAY be included in a full CRL. IT MUST NOT be included in a Delta CRL. If included, it MUST NOT be marked as critical and MUST contain the URI of a Delta CRL distribution point.
Comment: -
7.2.2-tpkio107
Description
The authorityInfoAccess
extension MAY be included in a CRL. If included, it MUST NOT be marked as critical. and MUST conform to section 5.2.7 of RFC5280.
Comment: -
7.2.2-tpkio108
Description
The reasonCode
extension MAY be included in a CRL. If included, it MUST NOT be marked as critical and MUST contain a valid reason for revocation per RFC 5280 section 5.3.1. If no reason is given, this extension MUST be omitted.
Comment: -
7.2.2-tpkio109
Description
The invalidityDate
attribute MAY be included in a CRL entry. If included, it MUST NOT be marked as critical and MUST indicate the date and time on which the certificate was suspected to have been compromised or otherwise made invalid if it preces the date and time on which the TSP processed the revocation.
Comment: -
7.2.2-tpkio110
Description
The certificateIssuer
extension SHOULD NOT be included in a CRL. If included, it MUST be marked as critical and MUST be used to identify the original issuer of the certificate.
Comment: -
7.3 OCSP profile
7.3-tpkio111
Description
The following requirements MUST be adhered to by a TSP with regards to the OCSP profile:
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio50
- 7.1.2-tpkio54
- 7.1.3-tpkio62
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio70
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.6-tpkio88
- 7.1.8-tpkio94
Comment: -
7.3.1 Version number(s)
No stipulation.
7.3.2 OCSP extensions
7.3.2-tpkio112
Description
When issuing an OCSP signing certificate, a A TSP MUST include the extension ExtendedKeyUsage
. This extension MUST be marked as critical and MUST include the KeyPurposdeID id-kp-OCSPSigning
.
Comment: -
7.3.2-tpkio113
Description
When issuing an OCSP signing certificate, a A TSP MUST include the extension ocspNoCheck
.This extension SHOULD NOT be marked critical. The value of the extension MUST be NULL
Comment: -
7.3.2-tpkio114
Description
When issuing an OCSP signing certificate, a A TSP MAY include the extension ocspNoCheck
. If included, this extension SHOULD NOT be marked critical and the value of the extension MUST be NULL
.
Comment: -
8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS
The PKIoverheid TRIAL hierarchy is designed and built upon the principle of “best effort” to emulate the technical aspects and requirements of PKIoverheid production certificates within the environment of a TSP’s internal organization or a subscriber’s staging environment. As such, no specific external or internal audit requirements are applicable to TSP’s operating under this CP.
8.1 Frequency or circumstances of assessment
No stipulation.
8.2 Identity/qualifications of assessor
No stipulation.
8.3 Assessor’s relationship to assessed entity
No stipulation.
8.4 Topics covered by assessment
No stipulation.
8.5 Actions taken as a result of deficiency
No stipulation.
8.6 Communication of results
No stipulation.
9. OTHER BUSINESS AND LEGAL MATTERS
9.1 Fees
9.1.1 Certificate issuance or renewal fees
No stipulation.
9.1.2 Certificate access fees
No stipulation.
9.1.3 Revocation or status information access fees
No stipulation.
9.1.4 Fees for other services
No stipulation.
9.1.5 Refund policy
No stipulation.
9.2 Financial responsibility
9.2.1 Insurance coverage
No stipulation.
9.2.2 Other assets
No stipulation.
9.2.3 Insurance or warranty coverage for end-entities
No stipulation.
9.3 Confidentiality of business information
9.3.1 Scope of confidential information
No stipulation.
9.3.2 Information not within the scope of confidential information
No stipulation.
9.3.3 Responsibility to protect confidential information
No stipulation.
9.4 Privacy of personal information
9.4.1 Privacy plan
No stipulation.
9.4.2 Information treated as private
No stipulation.
9.4.3 Information not deemed private
No stipulation.
9.4.4 Responsibility to protect private information
No stipulation.
9.4.5 Notice and consent to use private information
No stipulation.
9.4.6 Disclosure pursuant to judicial or administrative process
No stipulation.
9.4.7 Other information disclosure circumstances
No stipulation.
9.5 Intellectual property rights
No stipulation.
9.6 Representations and warranties
9.6.1 CA representations and warranties
No stipulation.
9.6.2 RA representations and warranties
No stipulation.
9.6.3 Subscriber representations and warranties
No stipulation.
9.6.4 Relying party representations and warranties
9.6.5 Representations and warranties of other participants
No stipulation.
9.7 Disclaimers of warranties
9.7-tpkio97
Description
In the agreement between the TSP and the subscriber a clause MUST be included in which the TSP disclaims all warranties regarding the perceived trustworthiness and availability of PKIoverheid TRIAL certificates or it’s associated revocation checking mechanisms.
Comment: -
9.8 Limitations of liability
No stipulation.
9.9 Indemnities
No stipulation.
9.10 Term and termination
9.10.1 Term
No stipulation.
9.10.2 Termination
No stipulation.
9.10.3 Effect of termination and survival
No stipulation.
9.11 Individual notices and communications with participants
No stipulation.
9.12 Amendments
The change procedure for the PoR of the PKIoverheid is incorporated in PKIoverheid’s Certificate PracticeStatement. The CPS can be obtained in an electronic format on the PA’s website.
9.12.1 Procedure for amendment
No stipulation.
9.12.2 Notification mechanism and period
No stipulation.
9.12.3 Circumstances under which OID must be changed
No stipulation.
9.13 Dispute resolution provisions
No stipulation.
9.14 Governing law
Dutch law is applicable to the CPs of PKIoverheid.
9.15 Compliance with applicable law
No stipulation.
9.16 Miscellaneous provisions
9.16.1 Entire agreement
No stipulation.
9.16.2 Assignment
No stipulation.
9.16.3 Severability
No stipulation.
9.16.4 Enforcement (attorneys’ fees and waiver of rights)
No stipulation.
9.16.5 Force Majeure
No stipulation.
9.17 Other provisions
No stipulation.
Appendix A: Requirements (CP) for personal authentication certificates (OID 2.16.528.1.1003.1.2.9.1)
This Appendix is only a list of requirements for which explicit requirements have been defined in this CP. This Appendix is only provides for the benefit of TSPs for an overview per certificate type.
Requirements in this CP for OID 2.16.528.1.1003.1.2.9.1
- 1.4.1-tpkio33
- 2.1-tpkio2
- 2.2-tpkio12
- 2.2-tpkio13
- 2.4-tpkio14
- 3.2.2-tpkio15
- 3.2.2-tpkio17
- 3.2.2-tpkio5
- 3.2.3-tpkio19
- 3.2.3-tpkio20
- 3.2.3-tpkio4
- 4.1-tpkio9
- 4.10.1-tpkio28
- 4.3.1-tpkio10
- 4.7.1-tpkio21
- 4.9.10-tpkio25
- 4.9.13-tpkio27
- 4.9.7-tpkio1
- 4.9.9-tpkio24
- 5.1-tpkio29
- 5.2-tpkio30
- 5.3-tpkio31
- 6.1.1-tpkio32
- 6.1.5-tpkio34
- 6.2-tpkio36
- 6.3.2-tpkio37
- 6.5-tpkio41
- 6.7-tpkio42
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio115
- 7.1.2-tpkio116
- 7.1.2-tpkio46
- 7.1.2-tpkio48
- 7.1.2-tpkio49
- 7.1.2-tpkio50
- 7.1.2-tpkio53
- 7.1.2-tpkio54
- 7.1.2-tpkio56
- 7.1.2-tpkio59
- 7.1.2-tpkio60
- 7.1.2-tpkio64
- 7.1.2-tpkio65
- 7.1.2-tpkio82
- 7.1.3-tpkio62
- 7.1.4-tpkio117
- 7.1.4-tpkio119
- 7.1.4-tpkio122
- 7.1.4-tpkio123
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio69
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.4-tpkio79
- 7.1.4-tpkio84
- 7.1.4-tpkio85
- 7.1.6-tpkio11
- 7.1.8-tpkio94
- 7.2-tpkio96
- 7.2-tpkio98
- 7.2-tpkio99
- 7.2.1-tpkio95
- 7.2.2-tpkio100
- 7.2.2-tpkio102
- 7.2.2-tpkio103
- 7.2.2-tpkio104
- 7.2.2-tpkio105
- 7.2.2-tpkio106
- 7.2.2-tpkio107
- 7.2.2-tpkio108
- 7.2.2-tpkio109
- 7.2.2-tpkio110
- 7.3.2-tpkio112
- 7.3.2-tpkio114
- 9.7-tpkio97
Appendix B: Requirements (CP) for personal signature certificates (OID 2.16.528.1.1003.1.2.9.2)
This Appendix is only a list of requirements for which explicit requirements have been defined in this CP. This Appendix is only provides for the benefit of TSPs for an overview per certificate type.
Requirements in this CP for OID 2.16.528.1.1003.1.2.9.2
- 1.4.1-tpkio33
- 2.1-tpkio2
- 2.2-tpkio12
- 2.2-tpkio13
- 2.4-tpkio14
- 3.2.2-tpkio15
- 3.2.2-tpkio17
- 3.2.2-tpkio5
- 3.2.3-tpkio19
- 3.2.3-tpkio20
- 3.2.3-tpkio4
- 4.1-tpkio9
- 4.10.1-tpkio28
- 4.3.1-tpkio10
- 4.7.1-tpkio21
- 4.9.10-tpkio25
- 4.9.13-tpkio27
- 4.9.7-tpkio1
- 4.9.9-tpkio24
- 5.1-tpkio29
- 5.2-tpkio30
- 5.3-tpkio31
- 6.1.1-tpkio32
- 6.1.5-tpkio34
- 6.2-tpkio36
- 6.3.2-tpkio37
- 6.5-tpkio41
- 6.7-tpkio42
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio115
- 7.1.2-tpkio116
- 7.1.2-tpkio124
- 7.1.2-tpkio46
- 7.1.2-tpkio48
- 7.1.2-tpkio49
- 7.1.2-tpkio52
- 7.1.2-tpkio53
- 7.1.2-tpkio54
- 7.1.2-tpkio57
- 7.1.2-tpkio59
- 7.1.2-tpkio60
- 7.1.2-tpkio64
- 7.1.2-tpkio65
- 7.1.2-tpkio82
- 7.1.3-tpkio62
- 7.1.4-tpkio117
- 7.1.4-tpkio119
- 7.1.4-tpkio122
- 7.1.4-tpkio123
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio69
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.4-tpkio79
- 7.1.4-tpkio84
- 7.1.4-tpkio85
- 7.1.6-tpkio86
- 7.1.8-tpkio94
- 7.2-tpkio96
- 7.2-tpkio98
- 7.2-tpkio99
- 7.2.1-tpkio95
- 7.2.2-tpkio100
- 7.2.2-tpkio102
- 7.2.2-tpkio103
- 7.2.2-tpkio104
- 7.2.2-tpkio105
- 7.2.2-tpkio106
- 7.2.2-tpkio107
- 7.2.2-tpkio108
- 7.2.2-tpkio109
- 7.2.2-tpkio110
- 7.3.2-tpkio112
- 7.3.2-tpkio114
- 9.7-tpkio97
Appendix C: Requirements (CP) for personal encryption certificates (OID 2.16.528.1.1003.1.2.9.3)
This Appendix is only a list of requirements for which explicit requirements have been defined in this CP. This Appendix is only provides for the benefit of TSPs for an overview per certificate type.
Requirements in this CP for OID 2.16.528.1.1003.1.2.9.3
- 1.4.1-tpkio33
- 2.1-tpkio2
- 2.2-tpkio12
- 2.2-tpkio13
- 2.4-tpkio14
- 3.2.2-tpkio15
- 3.2.2-tpkio17
- 3.2.2-tpkio5
- 3.2.3-tpkio19
- 3.2.3-tpkio20
- 3.2.3-tpkio4
- 4.1-tpkio9
- 4.10.1-tpkio28
- 4.3.1-tpkio10
- 4.7.1-tpkio21
- 4.9.10-tpkio25
- 4.9.13-tpkio27
- 4.9.7-tpkio1
- 4.9.9-tpkio24
- 5.1-tpkio29
- 5.2-tpkio30
- 5.3-tpkio31
- 6.1.1-tpkio32
- 6.1.5-tpkio34
- 6.2-tpkio36
- 6.3.2-tpkio37
- 6.5-tpkio41
- 6.7-tpkio42
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio115
- 7.1.2-tpkio116
- 7.1.2-tpkio46
- 7.1.2-tpkio49
- 7.1.2-tpkio51
- 7.1.2-tpkio53
- 7.1.2-tpkio54
- 7.1.2-tpkio58
- 7.1.2-tpkio59
- 7.1.2-tpkio60
- 7.1.2-tpkio64
- 7.1.2-tpkio65
- 7.1.2-tpkio82
- 7.1.3-tpkio62
- 7.1.4-tpkio117
- 7.1.4-tpkio119
- 7.1.4-tpkio122
- 7.1.4-tpkio123
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio69
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.4-tpkio79
- 7.1.4-tpkio84
- 7.1.4-tpkio85
- 7.1.6-tpkio87
- 7.1.8-tpkio94
- 7.2-tpkio96
- 7.2-tpkio98
- 7.2-tpkio99
- 7.2.1-tpkio95
- 7.2.2-tpkio100
- 7.2.2-tpkio102
- 7.2.2-tpkio103
- 7.2.2-tpkio104
- 7.2.2-tpkio105
- 7.2.2-tpkio106
- 7.2.2-tpkio107
- 7.2.2-tpkio108
- 7.2.2-tpkio109
- 7.2.2-tpkio110
- 7.3.2-tpkio112
- 7.3.2-tpkio114
- 9.7-tpkio97
Appendix D: Requirements (CP) for services authentication certificates (OID 2.16.528.1.1003.1.2.9.4)
This Appendix is only a list of requirements for which explicit requirements have been defined in this CP. This Appendix is only provides for the benefit of TSPs for an overview per certificate type.
Requirements in this CP for OID 2.16.528.1.1003.1.2.9.4
- 1.4.1-tpkio33
- 2.1-tpkio2
- 2.2-tpkio12
- 2.2-tpkio13
- 2.4-tpkio14
- 3.2.2-tpkio15
- 3.2.2-tpkio17
- 3.2.2-tpkio5
- 3.2.3-tpkio19
- 3.2.3-tpkio20
- 3.2.3-tpkio4
- 3.2.5-tpkio18
- 4.1-tpkio9
- 4.10.1-tpkio28
- 4.3.1-tpkio10
- 4.7.1-tpkio21
- 4.9.10-tpkio25
- 4.9.13-tpkio27
- 4.9.7-tpkio1
- 4.9.9-tpkio24
- 5.1-tpkio29
- 5.2-tpkio30
- 5.3-tpkio31
- 6.1.1-tpkio32
- 6.1.5-tpkio34
- 6.2-tpkio36
- 6.3.2-tpkio37
- 6.5-tpkio41
- 6.7-tpkio42
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio46
- 7.1.2-tpkio49
- 7.1.2-tpkio50
- 7.1.2-tpkio53
- 7.1.2-tpkio54
- 7.1.2-tpkio56
- 7.1.2-tpkio59
- 7.1.2-tpkio60
- 7.1.2-tpkio82
- 7.1.3-tpkio62
- 7.1.4-tpkio118
- 7.1.4-tpkio119
- 7.1.4-tpkio120
- 7.1.4-tpkio121
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio70
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.4-tpkio84
- 7.1.4-tpkio85
- 7.1.6-tpkio88
- 7.1.8-tpkio94
- 7.2-tpkio96
- 7.2-tpkio98
- 7.2-tpkio99
- 7.2.1-tpkio95
- 7.2.2-tpkio100
- 7.2.2-tpkio102
- 7.2.2-tpkio103
- 7.2.2-tpkio104
- 7.2.2-tpkio105
- 7.2.2-tpkio106
- 7.2.2-tpkio107
- 7.2.2-tpkio108
- 7.2.2-tpkio109
- 7.2.2-tpkio110
- 7.3.2-tpkio112
- 7.3.2-tpkio114
- 9.7-tpkio97
Appendix E: Requirements (CP) for services encryption certificates (OID 2.16.528.1.1003.1.2.9.5)
This Appendix is only a list of requirements for which explicit requirements have been defined in this CP. This Appendix is only provides for the benefit of TSPs for an overview per certificate type.
Requirements in this CP for OID 2.16.528.1.1003.1.2.9.5
- 1.4.1-tpkio33
- 2.1-tpkio2
- 2.2-tpkio12
- 2.2-tpkio13
- 2.4-tpkio14
- 3.2.2-tpkio15
- 3.2.2-tpkio17
- 3.2.2-tpkio5
- 3.2.3-tpkio19
- 3.2.3-tpkio20
- 3.2.3-tpkio4
- 3.2.5-tpkio18
- 4.1-tpkio9
- 4.10.1-tpkio28
- 4.3.1-tpkio10
- 4.7.1-tpkio21
- 4.9.10-tpkio25
- 4.9.13-tpkio27
- 4.9.7-tpkio1
- 4.9.9-tpkio24
- 5.1-tpkio29
- 5.2-tpkio30
- 5.3-tpkio31
- 6.1.1-tpkio32
- 6.1.5-tpkio34
- 6.2-tpkio36
- 6.3.2-tpkio37
- 6.5-tpkio41
- 6.7-tpkio42
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio46
- 7.1.2-tpkio49
- 7.1.2-tpkio53
- 7.1.2-tpkio54
- 7.1.2-tpkio58
- 7.1.2-tpkio59
- 7.1.2-tpkio60
- 7.1.2-tpkio82
- 7.1.3-tpkio62
- 7.1.4-tpkio118
- 7.1.4-tpkio119
- 7.1.4-tpkio120
- 7.1.4-tpkio121
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio70
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.4-tpkio84
- 7.1.4-tpkio85
- 7.1.6-tpkio89
- 7.1.8-tpkio94
- 7.2-tpkio96
- 7.2-tpkio98
- 7.2-tpkio99
- 7.2.1-tpkio95
- 7.2.2-tpkio100
- 7.2.2-tpkio102
- 7.2.2-tpkio103
- 7.2.2-tpkio104
- 7.2.2-tpkio105
- 7.2.2-tpkio106
- 7.2.2-tpkio107
- 7.2.2-tpkio108
- 7.2.2-tpkio109
- 7.2.2-tpkio110
- 7.3.2-tpkio112
- 7.3.2-tpkio114
- 9.7-tpkio97
Appendix F: Requirements (CP) for services signature certificates (OID 2.16.528.1.1003.1.2.9.10)
This Appendix is only a list of requirements for which explicit requirements have been defined in this CP. This Appendix is only provides for the benefit of TSPs for an overview per certificate type.
Requirements in this CP for OID 2.16.528.1.1003.1.2.9.10
- 1.4.1-tpkio33
- 2.1-tpkio2
- 2.2-tpkio12
- 2.2-tpkio13
- 2.4-tpkio14
- 3.2.2-tpkio15
- 3.2.2-tpkio17
- 3.2.2-tpkio5
- 3.2.3-tpkio19
- 3.2.3-tpkio20
- 3.2.3-tpkio4
- 3.2.5-tpkio18
- 4.1-tpkio9
- 4.10.1-tpkio28
- 4.3.1-tpkio10
- 4.9.10-tpkio25
- 4.9.13-tpkio27
- 4.9.7-tpkio1
- 4.9.9-tpkio24
- 5.1-tpkio29
- 5.2-tpkio30
- 5.3-tpkio31
- 6.1.1-tpkio32
- 6.1.5-tpkio34
- 6.2-tpkio36
- 6.3.2-tpkio37
- 6.5-tpkio41
- 6.7-tpkio42
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio49
- 7.1.2-tpkio52
- 7.1.2-tpkio53
- 7.1.2-tpkio54
- 7.1.2-tpkio57
- 7.1.2-tpkio59
- 7.1.2-tpkio60
- 7.1.2-tpkio66
- 7.1.2-tpkio82
- 7.1.3-tpkio62
- 7.1.4-tpkio120
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio70
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.4-tpkio84
- 7.1.4-tpkio85
- 7.1.6-tpkio93
- 7.1.8-tpkio94
- 7.2-tpkio96
- 7.2-tpkio98
- 7.2-tpkio99
- 7.2.1-tpkio95
- 7.2.2-tpkio100
- 7.2.2-tpkio102
- 7.2.2-tpkio103
- 7.2.2-tpkio104
- 7.2.2-tpkio105
- 7.2.2-tpkio106
- 7.2.2-tpkio107
- 7.2.2-tpkio108
- 7.2.2-tpkio109
- 7.2.2-tpkio110
- 7.3.2-tpkio112
- 7.3.2-tpkio114
- 9.7-tpkio97
Appendix G: Requirements (CP) for server certificates (OID 2.16.528.1.1003.1.2.9.6)
This Appendix is only a list of requirements for which explicit requirements have been defined in this CP. This Appendix is only provides for the benefit of TSPs for an overview per certificate type.
Requirements in this CP for OID 2.16.528.1.1003.1.2.9.6
- 1.4.1-tpkio3
- 2.1-tpkio2
- 2.2-tpkio12
- 2.2-tpkio13
- 2.4-tpkio14
- 3.2.1-tpkio6
- 3.2.2-tpkio15
- 3.2.2-tpkio16
- 3.2.2-tpkio17
- 3.2.2-tpkio5
- 3.2.3-tpkio19
- 3.2.3-tpkio20
- 3.2.3-tpkio4
- 3.2.3-tpkio7
- 3.2.5-tpkio8
- 4.1-tpkio9
- 4.10.1-tpkio28
- 4.3.1-tpkio10
- 4.7.1-tpkio22
- 4.9.10-tpkio25
- 4.9.13-tpkio27
- 4.9.7-tpkio1
- 4.9.9-tpkio26
- 4.9.9-tpkio3
- 5.1-tpkio29
- 5.2-tpkio30
- 5.3-tpkio31
- 6.1.1-tpkio32
- 6.1.1-tpkio35
- 6.1.5-tpkio34
- 6.2-tpkio36
- 6.3.2-tpkio37
- 6.5-tpkio41
- 6.7-tpkio42
- 7.1-tpkio44
- 7.1-tpkio45
- 7.1-tpkio47
- 7.1-tpkio67
- 7.1-tpkio68
- 7.1-tpkio81
- 7.1.1-tpkio43
- 7.1.2-tpkio46
- 7.1.2-tpkio48
- 7.1.2-tpkio49
- 7.1.2-tpkio53
- 7.1.2-tpkio54
- 7.1.2-tpkio55
- 7.1.2-tpkio59
- 7.1.2-tpkio61
- 7.1.2-tpkio82
- 7.1.3-tpkio62
- 7.1.4-tpkio63
- 7.1.4-tpkio68
- 7.1.4-tpkio71
- 7.1.4-tpkio72
- 7.1.4-tpkio73
- 7.1.4-tpkio74
- 7.1.4-tpkio75
- 7.1.4-tpkio76
- 7.1.4-tpkio77
- 7.1.4-tpkio78
- 7.1.4-tpkio80
- 7.1.4-tpkio83
- 7.1.4-tpkio85
- 7.1.6-tpkio90
- 7.1.8-tpkio94
- 7.2-tpkio96
- 7.2-tpkio98
- 7.2-tpkio99
- 7.2.1-tpkio95
- 7.2.2-tpkio100
- 7.2.2-tpkio102
- 7.2.2-tpkio103
- 7.2.2-tpkio104
- 7.2.2-tpkio105
- 7.2.2-tpkio106
- 7.2.2-tpkio107
- 7.2.2-tpkio108
- 7.2.2-tpkio109
- 7.2.2-tpkio110
- 7.3.2-tpkio112
- 7.3.2-tpkio113
- 9.7-tpkio97