The DutchGrid CA service provides identity assertions to individual
persons for use in electronic authentication. By their very nature,
these identity assertion are linked to your personal data -- they
are used to provide your identity to third parties with which you
During the application and certification process with the
DutchGrid CA, your personal data will be processed and stored.
Of the data you provide, the contents of the certificate itself, in
particular the subject name will be disclosed to the general public.
Keep in mind that your certificate data will be exchanged in cleartext
whenever you send your certificate to establish a secure connection.
If your certificate contains your email address (but this is optional
and not the default!), this email address will be publicly visible.
Since you are the one initiating the use of your certificate for
authentication or email, protecting the data in your certificate during its
daily use is outside the control of the CA.
- This data enables the CA to ensure that the certificate is
issued the the proper person, and especially that the same
subject name is never assigned to different people.
This data is also retained by the CA to contact the subscriber
(i.e. you) with service notifications, such as (but not limited to)
the reminder sent to you a few weeks before your certificate expires.
These notices will not be frequent, and will always be sent by
the DutchGrid CA.
Your data may be disclosed to law enforcement, if so authorized
according to Dutch Law. This could be the case when your certificate
has been used for illegal activities.
The DutchGrid CA consists of the DutchGrid CA Management Authority and
the DutchGrid CA Operator. They will not share your data with any other party.
The following information is collected from the application on
the registration form (the registration form is then kept on paper
only, in a locked, secure environment with recorded access):
- Full name as stated on the government issued photo ID
used to generate the certificate subject name
- Date and place of birth
used together with the name and identity piece serial number
to make sure it is the same person that attempts renewal of
a certificate. It is stored on paper only, and not accessible
via a computer.
- Serial number, type, and issuing country of the identity piece shown
Type, issuing country, and the last four digits are stored electronically. The full number
is only on the paper form, stored on paper and off-line.
- Work address and phone number
Used to contact the subscriber in normal cases. Having a
work address is compulsory, and is used to make sure that the
applicant is part of the DutchGrid constituency (i.e.
acedemia, research and higher education in the Netherlands).
- Home phone number
Used to contact you in case of problems, in case you,
the user, has left the organisation. Since the user is not
required to keep location information up to date over the
one-year validity period, it is unsure if the subscriber is
still working with the organisation. In those cases, your
home phone might be used - we will not normally contact you
at your there.
- Electronic mail address
Used to send the certificate to, as well as renewal warnings
and service messages. Please use your organisation email address.
On request, it may be included in your certificate (which makes it
usable for sending signed email).
- Signature place and time, and signature
this binds the applicant to the Policy and Practice statements,
and signifies that the data above is complete and correct. Stored
on paper only.
When contacting the RA, you will be asked to show your ID. In particular,
your name is checked against the data on there, and only your date and
place of birth and the type and number of your national ID is
archived; no copies of it are stored by the RA or CA. These details are
kept off-line, except for the last four digits of your ID serial number.
Some information is also kept on-line. The on-line information
Access to this on-line information is limited to CA management
and operators only, but an off-site backup exists. A determined
attacker might use physical violence to get access to this data.
- All electronic correspondence with the CA, both in-bound and
- For each processed request, the RA address, the country of
issuance and the type & serial number of the identity piece, and
the dates and times of contact with the applicant.
- Any electronic correspondence of validation, checks and renewals bewteen
the CA and the RA(s) regarding renewal requests.
Note that all data at the CA could be used by law enforcement officials
if ever your certificate use is subject to a criminal investigation.
The CA cannot legally prevent access to this information in that case.
Getting Information About Your Data
You can request access to information regarding all your data at any time.
And you can of course request your data to be corrected.
Due to the nature
of the certificate service, you will have to agree to storage of your
data with the CA, for the purpose for issuing, validating and
renewal of identity assertions. You have been been or will be notified in
advance that your data will be stored -- as a warning at the top of
the electronic application form, and via the CP/CPS with which you
officially agreed when signing the paper-based application form.
The electronic mail with your certificate also notifies you of the
processing of your personal data by the CA.
You can request that all your information will be shielded. In that case,
your certificate will be revoked and removed from the on-line repository.
We cannot be responsible for leakage of this information if you yourself
continue to present your certificate to third parties.
For information, please contact:
or send an electronic mail
P.O. Box 41882
NL 1009 DB Amsterdam, The Netherlands
phone: +31 20 592 2000
fax: +31 20 592 5155