| Scope |
On the request of QuoVadis Trustlink B.V. in the Netherlands and DigiCert Europe Belgium BV in Belgium (hereafter referred to as: QuoVadis), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in QuoVadis' Statement of Applicability, dated 9 June 2023 and the Overview of Applicability, version 1.22.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service;
-,,Certificate Generation Service;
-,,Dissemination Service;
-,,Revocation Management Service;
-,,Revocation Status Service;
-,,Subject Device Provision Service;
This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
The TSP component services are performed, partly or completely by subcontractors under the final responsibility of QuoVadis.
These TSP component services are being provided for:
-,,Issuance of public key certificates (non-qualified trust service), in accordance with the policies: NCP, NCP+, OVCP and PTC
The certificates are issued through the issuing Certification Authorities, as specified below:
Root CA: Staat der Nederlanden Private Root CA - G1 (not in scope)
Domain CA: Staat der Nederlanden Private Personen CA - G1 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Private Personen CA - G1
Sha256 Fingerprint:
A5F7150BC358D1498BFDD8EB39732362DCB6A903F57451B930363BDFAF835BA4
+,,PKIOverheid Private Personal Authenticity (OID 2.16.528.1.1003.1.2.8.1), in accordance with policy NCP+
+,,PKIOverheid Private Personal Encryption (OID 2.16.528.1.1003.1.2.8.3), in accordance with policy NCP+
Domain CA: Staat der Nederlanden Private Services CA - G1 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Private Services CA - G1
Sha256 Fingerprint:
69DF8D18C54503F83DC239C3DCF8115B2A447EFC5DEFCA6119D18E988C12276D
+,,PKIOverheid Private Services – Authenticity (OID 2.16.528.1.1003.1.2.8.4), in accordance with policy OVCP and PTC
+,,PKIOverheid Private Services – Encryption (OID 2.16.528.1.1003.1.2.8.5), in accordance with policy OVCP and PTC
+,,PKIOverheid Private Services – Server (OID 2.16.528.1.1003.1.2.8.6), in accordance with policy OVCP and PTC
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domain CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA - G3
Sha256 Fingerprint:
15073C6BBDC74699A88518C27A57C956E5E23D6CA9619E521A468C7873DE4F8A
+,,PKIOverheid Personal Organisation Authenticity (OID 2.16.528.1.1003.1.2.5.1), in accordance with policy NCP+
+,,PKIOverheid Personal Organisation Encryption (OID 2.16.528.1.1003.1.2.5.3), in accordance with policy NCP+
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA – 2022
Sha256 Fingerprint:
56521521E7EA27EAAE33F0095D5B871CDA3AF4A80A62E08594CBAD6EF2806307
+,,PKIOverheid Personal Organisation Authenticity (OID 2.16.528.1.1003.1.2.5.1), in accordance with policy NCP+
+,,PKIOverheid Personal Organisation Encryption (OID 2.16.528.1.1003.1.2.5.3), in accordance with policy NCP+
Domain CA: Staat der Nederlanden Burger CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Burger CA - 2021
Sha256 Fingerprint:
3AC3DB2C474FC34FE8011C5A01F622824C6F8B11076F56192AC701DAE3D70534
+,,PKIOverheid Personal Citizen Authenticity (OID 2.16.528.1.1003.1.2.3.1), in accordance with policy NCP+
+,,PKIOverheid Personal Citizen Encryption (OID 2.16.528.1.1003.1.2.3.3), in accordance with policy NCP+
Domain CA: Staat der Nederlanden Organisatie Services CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - G3
Sha256 Fingerprint:
BECFDE124CEDD344D925CB55EDDA662D9A9C0688FA9A0870CE3DBB6DA4313E4E
+,,PKIOverheid Organisation Service Authenticity (OID 2.16.528.1.1003.1.2.5.4), in accordance with NCP+
+,,PKIOverheid Organisation Service Encryption (OID 2.16.528.1.1003.1.2.5.5), in accordance with policy NCP+
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - 2022
Sha256 Fingerprint:
B0D9AFDA74163609E4EAB017EEE4CE0B235AEEF7D68C06F86E74C6387999B2B7
+,,PKIOverheid Organisation Service Authenticity (OID 2.16.528.1.1003.1.2.5.4), in accordance with NCP+
+,,PKIOverheid Organisation Service Encryption (OID 2.16.528.1.1003.1.2.5.5), in accordance with policy NCP+
Root CA: Staat der Nederlanden EV Root CA (not in scope)
Domain CA: Staat der Nederlanden Domein Server CA 2020 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Server CA 2020
Sha256 Fingerprint:
EB2C2A806C69FC963C4E24A5BBEA20ED4E3B86AE798730BB4EEA51BF9DE33325
+,,PKIOverheid Organisation Service Server (OID 2.16.528.1.1003.1.2.5.9), in accordance with policies OVCP and PTC
Root CA: QuoVadis Root CA 1 G3
Intermediate CA: QuoVadis Enterprise Trust CA 1 G3
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G4
Sha256 Fingerprint:
1D24222B5EEC71FE99BE9D700FA5FF72312DB3EB0FCB4A4F3BCC135DA36C1355
+,,QV Advanced (OID 0.4.0.2042.1.1), in accordance with policy NCP
+,,QV Advanced + (OID 0.4.0.2042.1.2), in accordance with policy NCP+
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G6
Sha256 Fingerprint:
19B74B7E41CA73465832838A14EB432C4826F1B15DEF42B90AAE9F8FAB8B79B3
+,,QV Advanced (OID 0.4.0.2042.1.1), in accordance with policy NCP
+,,QV Advanced + (OID 0.4.0.2042.1.2), in accordance with policy NCP+
-,,Issuing CA: QuoVadis Belgium Issuing CA G2
Sha256 Fingerprint:
AA0E83B4AE0036679703D1603BC7E63A080464A033AE4B9F465838ADC85C61ED
+,,QV Advanced (OID 0.4.0.2042.1.1), in accordance with policy NCP
+,,QV Advanced + (OID 0.4.0.2042.1.2), in accordance with policy NCP+
-,,Issuing CA: QuoVadis Belgium Issuing CA G4
Sha256 Fingerprint:
3516BDAB7F57115A7AEB2EBF9C521EF00F04AD891501979BE1EFBF4493409669
+,,QV Advanced (OID 0.4.0.2042.1.1), in accordance with policy NCP
+,,QV Advanced + (OID 0.4.0.2042.1.2), in accordance with policy NCP+
The TSP component services are documented in the following Certification Practice Statements:
-,,QuoVadis CP/CPS for Root CA and Root CA3 (V4.41), 15 March 2023
-,,QuoVadis CP/CPS for Root CA2 (V2.20), 15 March 2023
-,,QuoVadis CP/CPS PKIoverheid (V1.14), 23 September 2022
-,,QuoVadis PKI Disclosure Statement (V1.17), 15 March 2023
-,,QuoVadis PKIoverheid Disclosure Statement (V1.12), 5 July 2022
For the component service: Registration Service (Remote Identity Proofing), we confirm, based on the objective evidence collected during the audit, that as of 17 December 2021, the following identification method(s) provide equivalent assurance in terms of reliability to physical presence, pursuant to Regulation (EU) 910/2014 (eIDAS) art. 24.1 sub d, for the trust services (and Identity Proofing Context) covered by this Certificate of Conformity:
-,,“DigiCert Remote ID Validation level RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"; and
-,,“DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
Our annual certification audit was performed in March, April and May, June 2023. The result of the full audit is that we conclude, based on the objective evidence collected during the certification audit from 1 June 2022 through 31 May 2023, the areas assessed during the audit were generally found to be effective, based on the applicable requirements defined in QuoVadis' Statement of Applicability, dated 9 June 2023 and the Overview of Applicability, version 1.22.
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers
-,,ETSI EN 319 411-1 v1.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP, NCP+, OVCP, PTC, EVCP;
-,,ETSI TR 119 461 v1.1.1 (2021-07): Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects, for the LoIP use cases:
-,,“DigiCert Remote ID Validation levels RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
-,,“DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
-,,CA/Browser Forum – Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates 2.0.0 (11 April 2023);
-,,CA/Browser Forum – Guidelines for the Issuance and Management of Extended Validation Certificates v1.8.0 (30 November 2022);
-,,CA/Browser Forum - Network and Certificate System Security Requirements v1.7 (5 April 2021);
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services.
-,,PKIoverheid - Programma van Eisen v4.11, part 3 Basiseisen, part 3 Aanvullende eisen and the requirements from parts 3a, 3b, 3c, 3g, 3h, 3i, 3j
Audit Period of Time:
1 June 2022 - 31 May 2023,,
Audit performed:
March, April and May, June 2023
Information and Contact:
BSI Group The Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
|
Selangor,Malaysia
Wanchai,Hong Kong
Hengyang,China
