| Scope |
On the request of Buypass AS (hereafter referred to as: Buypass), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in Buypass’ Statement of Applicability, dated November 23, 2023 and in the Overview of Applicability, dated November 22, 2023.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service
-,,Certificate Generation Service
-,,Dissemination Service
-,,Revocation Management Service
-,,Revocation Status Service
-,,Subject Device Provision Service
For the issuing CA marked (*): This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
These TSP component services are being provided for the qualified trust services, as defined in Regulation (EU) 910/2014 (eIDAS):
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policy: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with the policies: QEVCP-w, QCP-w-psd2
The certificates are issued through the issuing certification authorities, as specified below:
Root CA: Buypass Class 3 Root CA
Sha256 Fingerprint:
EDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D
-,,Issuing CA: Buypass Class 3 CA 2
Sha256 Fingerprint:
DAA0435407FA44C28AB939E6823813605779093873A96649AD6E03B05D28626C
+,,Buypass SSL Business Plus Certificates (OID 2.16.578.1.26.1.3.4), in accordance with policy QCP-w-psd2;
+,,Buypass Qualified SSL Evident Certificates (OID 2.16.578.1.26.1.3.3), in accordance with policy QEVCP-w;
-,,Issuing CA: Buypass Class 3 CA 3
Sha256 Fingerprint:
C49C350E5A8205E063E74C554A994335B8435C996527D4EF1A2B0C7B51584B2D
+,,Buypass Qualified certificates for natural persons (OID 2.16.578.1.26.1.3.1 smart card), in accordance with policy QCP-n;
+,,Buypass Qualified certificates for natural persons (OID 2.16.578.1.26.1.3.6 HSM), in accordance with policy QCP-n;
+,,Buypass Enterprise certificates for legal persons (OID 2.16.578.1.26.1.3.2 soft token), in accordance with policy QCP-l;
+,,Buypass Enterprise certificates for legal persons (OID 2.16.578.1.26.1.3.5 hard token), in accordance with policy QCP-l;
Root CA: Buypass Class 3 Root CA G2 QC
Sha256 Fingerprint:
A3BC38A68658DE89AC3FA5F29B92CECC6EE5CC61A004BDC72E740F7820260B98
-,,Issuing CA: Buypass Class 3 CA G2 QC WA
Sha256 Fingerprint:
258C108D81DC81A4808420C5CC4F47501057481E737334E1CCA631CD212E1ED1
+,,Buypass Qualified Website Authentication Certificates (OID 2.16.578.1.26.1.3.7 QWAC), in accordance with policy QEVCP-w
+,,Buypass Qualified Website Authentication Certificates (OID 2.16.578.1.26.1.3.7 QWAC) for PSD2, in accordance with policy QCP-w-psd2
Root CA: Buypass Class 3 Root CA G2 ST
Sha256 Fingerprint:
F8C16C6B4FD45CB0672E16582B8805F1CAFD0C48D866F4ED895B30E352A9FAA6
-,,Issuing CA: Buypass Class 3 CA G2 ST Business
Sha256 Fingerprint:
45E05831CDDAC1F2B96DC8CA54620834C87649E9FFD3B26D7DAD2AD07F807232
+,,Buypass Enterprise certificates for legal persons (OID 2.16.578.1.26.1.3.2 soft token), in accordance with policy QCP-l;
Root CA: Buypass Class 3 Root CA G2 HT
Sha256 Fingerprint:
AB936DFD7F171D3A3CBD08F9BEBDC3F3BAAABAA79DF6A908F8A7B0128627F187
-,,Issuing CA: Buypass Class 3 CA G2 HT Business
Sha256 Fingerprint:
0EF5CEDCE44265B112785B359A21141E20F553AADA4C579404617B5CA6046BE9
+,,Buypass Enterprise certificates for legal persons (OID 2.16.578.1.26.1.3.5 hard token), in accordance with policy QCP-l;
+,,Buypass Enterprise certificates for legal persons (OID 2.16.578.1.26.1.3.5 hard token), in accordance with policy QCP-l-qscd;
-,,Issuing CA: Buypass Class 3 CA G2 HT Person
Sha256 Fingerprint:
994DE1799320BE8340F86683709BF9CAE4284838C6F0AABE3A46D99ADB009B51
+,,Buypass Qualified certificates for natural persons (OID 2.16.578.1.26.1.3.1 smart card), in accordance with policy QCP-n;
+,,Buypass Qualified certificates for natural persons (OID 2.16.578.1.26.1.3.6 HSM), in accordance with policy QCP-n;
-,,Issuing CA (*): Buypass Class 3 CA G2 HT Person BCSS
Sha256 Fingerprint:
5C7132D1BBA73050F70EBA7B72D141BFFA2EE420AE2F690C37C42C979CB5A286
+,,Buypass BCSS Class 3 Certificates (OID 2.16.578.1.26.1.3.8 HSM), in accordance with policy QCP-n-qscd;
The Certification Authority processes and services are documented in the following documents:
-,,Certification Practice Statement - Buypass Class 3 Person Qualified Certificates v6.0, dated 16 November 2020 (effective date: 1 December 2020)
-,,Certification Practice Statement - Buypass Class 3 Enterprise Certificates v7.1, dated 2 November 2022 (effective date: 21 November 2022)
-,,Certification Practice Statement - Buypass Class 3 SSL Certificates v14.4, dated 10 May 2023 (effective date: 10 May 2023)
-,,Certification Practice Statement - Buypass Class 3 BCSS Person Certificates v1.0 dated 25 September 2023 (effective date: 1 October 2023) (*)
-,,Signature Policy and Practice Statement – BCSS Person Signing v1.0, dated 1 October 2023 (*)
-,,PKI Disclosure Statement - Buypass Qualified Certificates v5.2, dated 1 October 2023 (*)
Our annual certification audit was performed in October and November 2023. The result of the full audit is that we conclude, based on the objective evidence collected during the certification audit for the period from 1 November 2022 through 31 October 2023, the areas assessed during the audit were generally found to be effective, based on the applicable requirements defined in Buypass’ Statement of Applicability, dated November 23, 2023 and in the Overview of Applicability, dated November 22, 2023.
A scope extension audit was performed in July and October 2023 for the issuing CA marked (*). The result of the point-in-time audit is that we concluded, based on the objective evidence collected during the scope extension audit, the areas assessed during the audit were generally found to be effective, as of 10 October 2023, based on the applicable requirements defined in Buypass’ Statement of Applicability and Overview of Applicability.
We confirm that the Qualified Electronic Signature Creation Devices that are part of the provision of the trust services in-scope of our audit comply with Regulation (EU) 910/2014, Annex II.
Audit information
Audit criteria:
-,,ETSI EN 319 401 v2.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - General Policy Requirements for Trust Service Providers
-,,ETSI EN 319 411-1 v1.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP, NCP+, DVCP, OVCP, EVCP and PTC
-,,Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services.
-,,ETSI EN 319 411-2 v2.4.1 (2021-11) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policies: QCP-n , QCP-l, QCP-l-qscd and QEVCP-w
-,,ETSI TS 119 495 v1.6.1 (2022-11) Electronic Signatures and Infrastructures (ESI) - Sector Specific Requirements; Certificate Profiles and TSP Policy Requirements for Open Banking, for the policy: QCP-w-psd2
-,,CA/Browser Forum – Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v2.0.1 (17 August 2023)
-,,CA/Browser Forum – Guidelines for the Issuance and Management of Extended Validation Certificates v.1.8.0 (30 November 2022)
-,,CA/Browser Forum – Network and Certificate System Security Requirements v1.7 (5 April 2021)
Audit Period of Time:
1 November 2022 – 31 October 2023
Audit performed:
October and November 2023
Audit Point in Time, for issuing CA marked (*):
10 October 2023
Point in Time Audit performed:
July and October 2023
Information and Contact:
BSI Group the Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
|
Selangor,Malaysia
Wanchai,Hong Kong
Hengyang,China
