On the request of Netherlands Ministry of Defence (hereafter referred to as: NL MoD), the annual recertification audit was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in NL MoD’s Statement of Applicability, dated 4 November 2024 and the Overview of Applicability, version 3.10 (not separately dated).
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service
The TSP component services are performed completely (c) or partly (p) by subcontractors under the responsibility of NL MoD:
-,,Certificate Generation Service (c)
-,,Dissemination Service (p)
-,,Revocation Management Service (p)
-,,Certificate Status Service (p)
-,,Subject Device Provision Service (c)
These TSP component services are being provided for:
§,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policy: QCP-n-qscd
The certificates are issued through its issuing certification authorities, as specified below:
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domain CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
Issuing CA: CN = Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3
-,,O = Ministerie van Defensie
-,,Serialnumber: 2a41257774a0ac234977fe3a77b9e67e79f57d4d
-,,Valid from June 27, 2019 to November 12, 2028
-,,SHA-256 fingerprint: 5F6CAA44A4663C441DD92C8B6655FBF97CF6E1D6934DB8F5F8D97ADF7033FAAC
+,,PKIOverheid Organisation Person Non-Repudiation (2.16.528.1.1003.1.2.5.2), in accordance with policy: QCP-n-qscd
The Trust Service processes and services are documented in the following documents:
§,,Certification Practice Statement for the NL-MoD card (NL-MoD card) Generation 3 (G3) Certification Authority, v3.1.9, 04-10-2024
§,,Ministry of Defence The Netherlands PKI Disclosure Statement G3, v1.4, 03-10-2024
Statement on the issuance of S/MIME certificates:
The issuing CA in scope of certification is technically capable of issuing S/MIME certificates. On the request of NL MoD, we performed audit procedures to confirm that ETSI TS 119 411-6 V1.1.1 (2023-08) is not mandatory, as the effective S/MIME Baseline Requirements implementation date for extant CAs is specified to be 15 September 2024. As of 4 September 2024, ETSI TS 119 411-6 V1.1.1 (2023-08) is not applicable, because related to the CA in scope of certification:
- We observed on 4 September 2024 that the Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) is removed from the issued certificates (only the rfc822Name email address attribute is still included),
- Controls are in place to prevent the issuance of S/MIME certificates as of 4 September 2024.
Our annual recertification audit was performed in October and November 2024. The result of the full audit is that we conclude, based on the objective evidence collected during the audit, between 16 November 2023 and 15 November 2024, the areas assessed during the audit were generally found to be effective, based on the applicable requirements defined in NL MoD’s Statement of Applicability, dated 4 November 2024 and the Overview of Applicability, version 3.10 (not separately dated).
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers;
-,,ETSI EN 319 411-1 v1.4.1 (2023-10) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policy: NCP+;
-,,ETSI EN 319 411-2 v2.5.1 (2023-10) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates;- Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policy: QCP-n-qscd;
-,,CA/Browser Forum – Network and Certificate System Security Requirements v1.7
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services
-,,PKIoverheid - Program of Requirements v5.0, G3 Legacy Organization Person certificates (previously 3a).
Audit Period of Time:
16 November 2023 – 15 November 2024
Audit performed:
October and November 2024
Information and Contact:
BSI Group the Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
|