Scope |
On the request of KPN B.V. (hereafter referred to as: KPN), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in KPN’s Statement of Applicability, dated 28 May 2024 and the Overview of Applicability, dated 1-5-2024.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service (p)
-,,Certificate Generation Service
-,,Dissemination Service
-,,Revocation Management Service (p)
-,,Revocation Status Service
-,,Subject Device Provision Service (p)
This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
The TSP component services are performed, partly (p) by subcontractors under the final responsibility of KPN.
These TSP component services are being provided for:
-,,Issuance of public key certificates (non-qualified trust service), in accordance with the policies: NCP and NCP+.
The certificates are issued through its issuing certification authorities, as specified below:
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domain CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
Issuing CA: CN = KPN BV PKIOverheid Organisatie Persoon CA - G3
-,,O = KPN B.V.
-,,Serialnumber: 0f08387dd5df4b99
-,,Valid from December 8, 2016 to November 12, 2028
-,,SHA-256 fingerprint: A9B5698C5263BEFF3D60720DC1844CB95D16F06E04268BCE3BE4D60282B01EF9
+,,Persoon – Authenticiteit (2.16.528.1.1003.1.2.5.1), in accordance with policy: NCP+
+,,Persoon – Vertrouwelijkheid (2.16.528.1.1003.1.2.5.3), in accordance with policy: NCP+
Domain CA: Staat der Nederlanden Organisatie Services CA - G3 (not in scope)
Issuing CA: CN = KPN BV PKIOverheid Organisatie Services CA - G3
-,,O = KPN B.V.
-,,Serialnumber: 43f05cbc60cb61f1
-,,Valid from December 8, 2016 to November 12, 2028
-,,SHA-256 fingerprint: F22DB657A1A929841ABCAC52671A5CEE8A7D069586AF85CE16DE2B05DDA22252
+,,Services – Authenticiteit (2.16.528.1.1003.1.2.5.4), in accordance with policy: NCP+
+,,Services – Vertrouwelijkheid (2.16.528.1.1003.1.2.5.5), in accordance with policy: NCP+
Root CA: Staat der Nederlanden Private Root CA - G1 (not in scope)
Domain CA: Staat der Nederlanden Private Services CA - G1 (not in scope)
Issuing CA: CN = KPN PKIoverheid Private Services CA - G1
-,,O = KPN B.V.
-,,Serialnumber: 13415c14466ed538
-,,Valid from November 25, 2015 to November 11, 2028
-,,SHA-256 fingerprint: BDB68500AAAE2563C57B4525784360436D3E3FD8DF974B25A77F132CECC2A49D
+,,Server (2.16.528.1.1003.1.2.8.6), in accordance with policy: NCP
The TSP component services are documented in the following KPN Certification Practice Statement(s):
-,,KPN B.V. - Certification Practice Statement PKIoverheid, v5.11, 20 December 2023
(OID: 2.16.528.1.1005.1.1.1.2)
-,,KPN PKIoverheid PKI Disclosure Statement, v5.11, 20 December 2023
Our annual certification audit was performed in May 2024. The result of the annual certification audit is that we conclude, based on the objective evidence collected during the certification audit for the period from 1 June 2023 through 31 May 2024, the areas assessed for:
-,,Issuance of public key certificates (non-qualified trust service), in accordance with the policies: NCP and NCP+
were generally found to be effective, based on the applicable requirements defined in KPN’s Statement of Applicability, dated 28 May 2024 and the Overview of Applicability, dated 1-5-2024.
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers;
-,,ETSI EN 319 411-1 v1.4.1 (2023-10) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP and NCP+;
-,,CA/Browser Forum - Network and Certificate System Security Requirements v1.7 (April 5, 2021);
-,,PKIoverheid - Programme of Requirements v4.12, for the policies:
o,,G3 Legacy Organization Person certificates (previously 3a)
o,,G3 Legacy Organization Services certificates (previously 3b)
o,,Private Organization Services certificates (previously 3g)
o,,Private Server certificates (previously 3h)
Audit Period of Time:
1 June 2023 – 31 May 2024
Audit performed:
May 2024
Information and Contact:
BSI Group the Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
|