The Dutch Information and Security Services Act will come into force in January 2018 and one of the main effects of the new legal framework is that country’s certificate authority, CA of the Staat de Nederlanden, could be taken off the Mozilla’s trust list.
The new security laws specifically address metadata retention powers and surveillance activities. Like legal frameworks adopted by other countries, the law grants broad-based interception powers for Dutch authorities.
Mozilla maintainers argue that under the new law, the CA of the Staat de Nederlanden could be forced by the Government to support interception by abusing SSL proxying.
The Dutch secret services, with the help of the CA of the Staat de Nederlanden, could access the encrypted traffic, a situation that threatens also other European states because in The Netherlands operates major transit services.
“The new “Wet op de inlichtingen- en veiligheidsdiensten (Wiv)” (Law for intelligence and security services) has been accepted by the Dutch Government. Provisions authorizing new powers for the Dutch intelligence and security services will become active starting January 1st, 2018.” wrote Chris Van Pelt
“This revision of the law will authorise intelligence and security to intercept and analyse cable-bound (Internet) traffic, and will include far-reaching authorisations, including covert technical attacks, to facilitate their access to encrypted traffic.”
“Article 45 1.b, explicitly authorises the use of ‘false keys’ in third party systems to obtain access to systems and data”.
Van Pelt pointed out that the Dutch CA is operated by PKIOverheid / Logius that is a division of the Ministry of Interior and Kingdom Relations that also operates the AIVD intelligence service.
For this reason, Van Pelt suggests to take off the Dutch CA from the Mozilla ‘s trust list.