| Scope |
On the request of QuoVadis Trustlink B.V. in the Netherlands and DigiCert Europe Belgium BV in Belgium (hereafter referred to as: QuoVadis), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in QuoVadis' Statement of Applicability, dated 9 June 2023 and the Overview of Applicability, version 1.22.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service;
-,,Certificate Generation Service;
-,,Dissemination Service;
-,,Revocation Management Service;
-,,Revocation Status Service;
-,,Subject Device Provision Service;
This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
The TSP component services are performed, partly or completely by subcontractors under the final responsibility of QuoVadis.
These TSP component services are being provided for the following qualified trust service(s) as defined in Regulation (EU) 910/2014 (eIDAS):
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policies: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with policies QEVCP-w, QCP-w-psd2;
The certificates are issued through the issuing certification authorities, as specified below:
Root CA: Staat der Nederlanden Private Root CA - G1 (not in scope)
Domain CA: Staat der Nederlanden Private Personen CA - G1 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Private Personen CA - G1
Sha256 Fingerprint:
A5F7150BC358D1498BFDD8EB39732362DCB6A903F57451B930363BDFAF835BA4
+,,PKIOverheid Private Personal Non-Repudiation (OID 2.16.528.1.1003.1.2.8.2), in accordance with policy QCP-n-qscd
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domain CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA - G3
Sha256 Fingerprint:
15073C6BBDC74699A88518C27A57C956E5E23D6CA9619E521A468C7873DE4F8A
+,,PKIOverheid Personal Organisation Non-Repudiation G3 (OID 2.16.528.1.1003.1.2.5.2), in accordance with policy QCP-n-qscd
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA – 2022
Sha256 Fingerprint:
56521521E7EA27EAAE33F0095D5B871CDA3AF4A80A62E08594CBAD6EF2806307
+,,PKIOverheid Personal Organisation Non-Repudiation (OID 2.16.528.1.1003.1.2.5.2), in accordance with policy QCP-n-qscd
Domain CA: Staat der Nederlanden Burger CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Burger CA - 2021
Sha256 Fingerprint:
3AC3DB2C474FC34FE8011C5A01F622824C6F8B11076F56192AC701DAE3D70534
+,,PKIOverheid Personal Citizen Non-Repudiation (OID 2.16.528.1.1003.1.2.3.2), in accordance with policy QCP-n-qscd
Domain CA: Staat der Nederlanden Organisatie Services CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - G3
Sha256 Fingerprint:
BECFDE124CEDD344D925CB55EDDA662D9A9C0688FA9A0870CE3DBB6DA4313E4E
+,,PKIOverheid Organisation Service Seal (OID 2.16.528.1.1003.1.2.5.7), in accordance with policy QCP-l-qscd
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - 2022
Sha256 Fingerprint:
B0D9AFDA74163609E4EAB017EEE4CE0B235AEEF7D68C06F86E74C6387999B2B7
+,,PKIOverheid Organisation Service Seal (OID 2.16.528.1.1003.1.2.5.7), in accordance with policy QCP-l-qscd
Root CA: QuoVadis Root CA 1 G3
Intermediate CA: QuoVadis Enterprise Trust CA 1 G3
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G4
Sha256 Fingerprint:
1D24222B5EEC71FE99BE9D700FA5FF72312DB3EB0FCB4A4F3BCC135DA36C1355
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G6
Sha256 Fingerprint:
19B74B7E41CA73465832838A14EB432C4826F1B15DEF42B90AAE9F8FAB8B79B3
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
-,,Issuing CA: QuoVadis Belgium Issuing CA G2
Sha256 Fingerprint:
AA0E83B4AE0036679703D1603BC7E63A080464A033AE4B9F465838ADC85C61ED
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
-,,Issuing CA: QuoVadis Belgium Issuing CA G4
Sha256 Fingerprint:
3516BDAB7F57115A7AEB2EBF9C521EF00F04AD891501979BE1EFBF4493409669
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
Root CA: QuoVadis Root CA 2 G3
-,,Issuing CA: QuoVadis Qualified Web ICA G2
Sha256 Fingerprint:
7FEB9374EAB08D392717C647436DAE06176A24C010607FDA1CCE5E5F0106B472
+,,Qualified certificate for website authentication (OID 0.4.0.194112.1.4), in accordance with policy QEVCP-w
+,,PSD2 Qualified certificate for website authentication (OID 0.4.0.194112.1.4), in accordance with policy QCP-w (QEVCP-w) and QCP-w-psd2 (OID 0.4.0.19495.3.1)
The TSP component services are documented in the following Certification Practice Statements:
-,,QuoVadis CP/CPS for Root CA and Root CA3 (V4.41), 15 March 2023
-,,QuoVadis CP/CPS for Root CA2 (V2.20), 15 March 2023
-,,QuoVadis CP/CPS PKIoverheid (V1.14), 23 September 2022
-,,QuoVadis PKI Disclosure Statement (V1.17), 15 March 2023
-,,QuoVadis PKIoverheid Disclosure Statement (V1.12), 5 July 2022
For the component service: Registration Service (Remote Identity Proofing), we confirm, based on the objective evidence collected during the audit, that as of 17 December 2021, the following identification method(s) provide equivalent assurance in terms of reliability to physical presence, pursuant to Regulation (EU) 910/2014 (eIDAS) art. 24.1 sub d, for the trust services (and Identity Proofing Context) covered by this Certificate of Conformity:
-,,For Issuing CAs Belgium (C=BE): the identification method: “DigiCert Remote ID Validation level RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"; and
-,,For Issuing CAs Belgium (C=BE) and The Netherlands (C=NL): “DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
Our annual certification audit was performed in March, April and May, June 2023. The result of the full audit is that we conclude, based on the objective evidence collected during the certification audit from 1 June 2022 through 31 May 2023, the areas assessed during the audit were generally found to be effective, based on the applicable requirements defined in QuoVadis' Statement of Applicability, dated 9 June 2023 and the Overview of Applicability, version 1.22.
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers
-,,ETSI EN 319 411-1 v1.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP, NCP+, OVCP, PTC, EVCP;
-,,ETSI EN 319 411-2 v2.4.1 (2021-11) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates; - Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policies: QCP-n-qscd, QCP-l-qscd, QCP-n, QCP-l, QEVCP-w;
-,,ETSI TR 119 461 v1.1.1 (2021-07): Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects, for the LoIP use cases:
-,,For Issuing CAs Belgium (C=BE): the identification method: “DigiCert Remote ID Validation level RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"; and
-,,For Issuing CAs Belgium (C=BE) and The Netherlands (C=NL): “DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
-,,ETSI TS 119 495 V1.6.1 (2022-11): Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Qualified Certificate Profiles and TSP Policy Requirements under the payment services Directive (EU) 2015/2366, for the policies QCP-l, QCP-l-qscd, QEVCP-w / QEVCP-w-psd2;
-,,CA/Browser Forum – Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates 2.0.0 (11 April 2023);
-,,CA/Browser Forum – Guidelines for the Issuance and Management of Extended Validation Certificates v1.8.0 (30 November 2022);
-,,CA/Browser Forum - Network and Certificate System Security Requirements v1.7 (5 April 2021);
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services.
-,,PKIoverheid - Programma van Eisen v4.11, part 3 Basiseisen, part 3 Aanvullende eisen and the requirements from parts 3a, 3b, 3c, 3g, 3h, 3i, 3j
Audit Period of Time:
1 June 2022 - 31 May 2023
Audit performed:
March, April and May, June 2023
Information and Contact:
BSI Group The Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
|
Selangor,Malaysia
Wanchai,Hong Kong
Hengyang,China
