Product conditions registration and use of trust services

1.1 Which definitions do We use in this document?

Terms as defined in the General Terms and Conditions are also used here. In addition, we use the following definitions:

Certificate: an electronic document that connects data for verifying an electronic signature to a particular person and confirms that person's identity. In the context of Vidua, every certificate is also a qualified certificate.

Certificate Holder: an entity which will be identified in a certificate if the holder ‘s identity is confirmed by Vidua. The Certificate Holder will be a natural person, if the Certificates are personalised.

Qualified certificate: a certificate that complies with the highest trust norms as stated in the EU eIDAS regulation.

Qualified trust service: electronic service for qualified electronic signing or identification in conformance with the highest trust norms as stated in the EU eIDAS regulation.

EU trusted list: a EU Member State list including information related to the qualified trust service providers for which it is responsible, together with information related to the qualified trust services provided by them.

Certificate Revocation List (CRL): a publicly available list containing all certificates that have been issued by Cleverbase that are now no longer valid due to revocation or expiration.

1.2 Hierarchy of documentation

This document is written with due care. However, in case of disputes between documentation, the following hierarchy exists:

• The certification practice statement
• PKI disclosure statement
• The terms & conditions in Dutch
• The terms & conditions in English
• The product conditions in Dutch
• The product conditions in English
• Other public outings by Cleverbase

3.1 Certificates

Vidua uses Certificates for creating electronic signatures and login. For each person, Vidua creates one or more Certificates. The Dutch government and the European Union impose strict rules on the issuance of Certificates. This entails obligations both for us as Vidua and for you as a user. Vidua complies with the obligations it has imposed on itself in its internal procedures. It also undertakes this towards its Users and the parties who rely on the certificates issued and managed by Vidua. Vidua has been certified against the standards imposed on her by PKIoverheid.

Vidua's internal procedures are laid down in its Certification Practice Statement (CPS). Vidua may change the Certification Practice Statement or the procedures included therein, but it will ensure that these procedures continue to meet the requirements that apply from PKIoverheid.

For the purpose of the certificates, Vidua archives the log files and other registration data relating to a specific Certificate during the validity period of that Certificate. After that period of validity, Vidua will keep the log files of that Certificate for another seven years.

For the provision of certification services, Vidua conforms to ETSI 319 411-1, 319 411-2 and the Programma van Eisen PKIoverheid. This has been determined by an external auditor, in accordance with the certification scheme ETSI 319 403-1.

3.2 Availability of services

The certificate status information will never be unavailable for more than four hours in a row. The certificate status information will also be available after the expiration of the certificate validity period for a period that is consistent with the laws and regulations governing Certificates. Vidua has a termination plan to meet this obligation.

4.1 Correct and complete information

Upon request by Vidua, the Certificate Holder will provide all the information necessary to execute the certificate service. The Certificate Holder will provide documented evidence in support of this information within fourteen days.

If any information in the certificate is incorrect or is no longer correct because of a change, the Certificate Holder shall immediately inform Vidua of this situation.

4.2 Continuity of use

After expiration of the validity of the certificate, the certificate can no longer be used. As Certificate Holder, you are responsible for the timely renewal of Certificates. As a Certificate Holder cannot derive any rights from an internal policy, Vidua will inform the Certificate Holder about the expiration of the certificate at the end of the validity period.

You are also responsible for emergency replacement if the key material is compromised or some other calamity occurs.

4.3 Revocation and correct use

The User prevents improper use of the Certificate. A Certificate is issued for a predetermined purpose, namely Authentication or Signing. As a User, you may therefore not use the Certificate for any purpose other than that for which the Certificate was issued.

The User ensures that no unauthorized or unlawful use is made of the services or certificates. In any case, she ensures that no action is taken in violation of the law or regulations, that no criminal offenses are committed or assisted in doing so, and that no damage is caused to Vidua, its reputation or integrity. This entails that the User takes reasonable measures to:

• ensure the confidentiality of the PIN, including at least:
  • preventing someone else from viewing the entry of the PIN code,
  • not writing down the PIN code
  • and not providing the PIN code to another person;
• ensure confidentiality of the use of the Vidua app.

You, as the Certificate Holder, will cease the use of the certificate and withdraw it as soon as possible if:

1. the key material has possibly been compromised,
2. the PIN code may have been compromised,
3. you no longer have access to the key material yourself (for example: you lost your cell phone,
4. the information in the certificate is not or no longer correct, or
5. there is any other reason that justifies a revocation of the certificate.

After a new registration, use of services can be resumed.

4.4 Other rules regarding the services and Certificates

A certificate is not designated as an identity document in the Dutch Compulsory Identification Act (Wid). Therefore, it can not be used to identify persons in cases where the law requires that the identity of the person in question is known and is established by means of a document designated in the Compulsory Identification Act (Wet op de identificatieplicht). Perhaps superfluously, it follows that a certificate may not be used in the provision of government services where the law requires the identity of persons with a document designated in the Dutch Compulsory Identification Act.

4.5 Relying party

The relying party is the recipient of the message that is provided with the certificate. He is expected to check the validity of Certificates used. If the relying party requests the status of a certificate, then it will have to verify the electronic signature and the associated certification path. For this check, he can request the crl of Vidua (trademark of Cleverbase) on https://pki.cleverbase.com/cleverbase3c.crl or perform an OCSP status check. See paragraph 4.10 of the Certification Practice Statement for a further explanation of retrieving the certificate status. In addition to this, the relying party should know that, for a certificate to be relied upon as an EU qualified certificate, the CA/trust anchor for the validation of the certificate shall be as identified in a service digital identifier of an EU trusted list entry with the service type identifier https://uri.etsi.org/TrstSvc/Svctype/CA/QC/. ETSI TS 119 615 provides guidance for relying parties on how to validate a certificate against the EU trusted lists.

Furthermore, it is recommended that the relying party is aware of the limitations of the use of the certificate, as can be derived from the certificate itself and from the Terms and Conditions.

5.1 Termination by Vidua

If a certificate is revoked by Vidua or by PKIoverheid, then your subscription agreement as a User with Vidua will continue to exist. Vidua retains the right to terminate your use of services for reasons mentioned in paragraph 7.2 of the terms and conditions.