Not many websites, but all of the Belgium ID cards would end up being

Although Belgium is only issuing client certs, the issuing CA is not
technically constrained, meaning a BR, Network security, and standard
WebTrust audit is required. We are currently waiting for the results of the
audit report.


-----Original Message-----
From: dev-security-policy
.org] On Behalf Of Kurt Roeckx
Sent: Monday, January 9, 2017 9:54 AM
Subject: Re: Update on transition of the Verizon roots and issuance of SHA1

On 2017-01-09 17:28, Rob Stradling wrote:
> On 03/11/16 19:34, Jeremy Rowley wrote:
> <snip>
> Hi Jeremy.
>> 7.       The Belgium government is our biggest challenge in migrating
>> Verizon customers. With over 20 issuing CAs, Belgium has the largest 
>> outstanding non-compliant infrastructure. The operators have also 
>> claimed that revoking their issuing CAs is illegal (in Belgium). The 
>> government is using the issuing CA for creating personal 
>> identification (e-ID) cards throughout the country. The Belgium 
>> government has dictated that they set the rules, not us. Although the 
>> Belgium government does not have an audit yet, Verizon has 
>> represented that the issuing CAs are hosted in the Verizon 
>> infrastructure and are potentially covered by the Verizon audit.
> I've noticed that some of the Belgian government CAs have been 
> disclosed to the CCADB with the CP/CPS and Audit fields marked as 
> "Same as Parent", whereas the CP/CPS and Audit fields for the rest of 
> those CAs have not yet been filled in.

Note that the Belgium root CA's information is available at:

As far as I know, most of the certificates are for (client) authentication
and signatures as used by the government itself and some websites that make
use of it. Those should already be set up to trust that root for client
authentication. I think I also found some websites, but most actually use a
different CA. So it seems unlikely that many public websites would get
broken by revoking it.


dev-security-policy mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to