<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Segoe UI","sans-serif";
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
p.Textodeglobo, li.Textodeglobo, div.Textodeglobo
{mso-style-name:"Texto de globo";
mso-style-link:"Texto de globo Car";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 85.05pt 70.85pt 85.05pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">What is ETSI’s position on CAs following LCP or NCP who issues certificates that can technically be used for SSL or code signing? Are they not allowed to be
subordinates of publicly trusted root CAs?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kelvin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"> i-barreira@izenpe.net [mailto:i-barreira@izenpe.net]
<br>
<b>Sent:</b> Thursday, August 8, 2013 12:12 PM<br>
<b>To:</b> md@ssc.lt; Kelvin Yiu<br>
<b>Cc:</b> public@cabforum.org<br>
<b>Subject:</b> RE: [cabfpub] Ballot 108: Clarifying the scope of the baselinerequirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Something to add to what Mou´s pointing out and that has been mentioned several times at different F2F meetings.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regarding the BRs the current TS 102 042 and the next to come, EN 319 411-4, have 2 new policies:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">OVCP: Organization Validation Certificate Policy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">DVCP: Domain Validation Certificate Policy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">(There´s a new one coming up called QWSCP: Qualified Web Site Certificate Policy in the EN regarding the EU regulation draft but we don´t know how this will
end up)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">These 2 new policies are based on the BRs, and created because of these requirements, and are intended only for SSL certs. That´s it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The problem is what Mark has mentioned and Kelvin has re-organized, is what to do with those that are “kind of” SSL certs but have (or have not) the same profile.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I think the BRs are just for server authentication and I like the new definition Mark proposed, very similar to what Jeremy stated.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The CABF only dedicates to SSL certificates basically (up to now EV, OV, DV) and some others like code signing, s/mime are yet to come. (Well, EV code signing
exists and it used EVCP+ policy, which is the one for those issued in SSCDs)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">These certs are not related IMO to qualified certs that we issue in Europe (QCP) but can fall into the NCP and they deviations, but that´s why these new policies
were created, just to fit the CABF guidelines, EV and BR but only for SSL certificates. Other type of certificates, for example, non qualified certificates for legal entities, or natural persons use these other policies, LCP, NCP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hope this clarifies ETSI position.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif"">Iñigo Barreira</span></b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif""><br>
Responsable del Área técnica<br>
<a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif"">945067705</span><span lang="ES-TRAD" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-TRAD" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><img border="0" width="585" height="111" id="Imagen_x0020_1" src="cid:image001.png@01CE9A77.B6674510" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang="ES-TRAD" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><span lang="ES" style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD">ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere
hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"><br>
</span><span lang="ES" style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD">ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted
lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span lang="ES" style="font-family:"Calibri","sans-serif";color:navy;mso-fareast-language:ES-TRAD"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">De:</span></b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>En nombre de </b>Moudrick M. Dadashov<br>
<b>Enviado el:</b> jueves, 08 de agosto de 2013 20:12<br>
<b>Para:</b> Kelvin Yiu<br>
<b>CC:</b> 'CABFPub'<br>
<b>Asunto:</b> Re: [cabfpub] Ballot 108: Clarifying the scope of the baselinerequirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ES">Thank you, Kelvin, IMO this is a very constructive approach.<br>
<br>
With this sense in mind I'd suggest the Forum to take a step forward and recognize/accept following policy applicability framework.<br>
<br>
Today European policy framework defines following models:<br>
<br>
1. LCP - Lightweihgt Certificate Policy;<br>
2. NCP - Normalized Certificate Policy (also NCP+);<br>
3. QCP - Qualified Certificate Policy (also QCP+);<br>
4. EVCP - Extended Validation Certificate Policy (EVCP+).<br>
<br>
Each model above has a ~formal set of requirements that might have been summarized by a formally accepted Profile or Certificate Template.<br>
<br>
As we know the QCP Profile already exists (ETSI).<br>
The EVCP Profile is more or less clear however has no formally approved form (to my best knowledge). But EVCP is de facto based on Forum's EVG.<br>
If we agree/accept that NCP is a BR like model, then here comes Kelvin's approach and we end up with a NCP profile. As NCP is not just SSL we an call it e.g. NCP SSL Profile (BR Profile).
<br>
<br>
So the proposal is to accept the above model as a basis in further developing BR and EVG. Opinions?<br>
<br>
Thanks,<br>
M.D. <br>
<br>
On 8/8/2013 8:10 PM, Kelvin Yiu wrote:<br>
> One way to make progress is<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> perhaps for browsers to summarize the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > certificate profile (e.g. required fields and extensions)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> that their<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > browsers accept as SSL, code signing, or any other public<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > certificates they accept. For example, I believe IE expects<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> SSL<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > certificates require at least the following: (I will need to<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> do some<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > research to confirm)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > 1. Either no EKU extension, anyEKU, or the server auth EKU in<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > certificates in the chain. IE may still accept the old SGC<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> olds as<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > well 2. Valid DNS name in either the CN field in the subject<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> name, or<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > one or more dNSNames or IPv4 address in the SubjectAltName<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> extension
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > 3. Root CA must be enabled for server auth<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > For code signing certificates:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > 1. Either no EKU extension, anyEKU, or the code signing auth<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> EKU in<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > all certificates in the chain. 2. Root CA must be enabled for<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> code<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > signing 3. Subject name must have either CN, or O, (and maybe<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> OU)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > field.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > Hence, OV SSL certificates that do not have an EKU extension<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> (or<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > include the anyEKU OID) are valid for both SSL and code<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> signing.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > Arguably it is probably not the intention of the CA to issue<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> SSL<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > certificates that can be also used for code signing.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > At a high level from the MS perspective, I want all CAs that<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> issue<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > certificates that would be interpreted as SSL, code signing,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> or<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > whatever other usages allowed by the root program) to be in<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> scope of<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > the discussion. The high level principle here is to prevent<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> or at<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > least minimize unintended certificate usages that opens up<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> security<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > vulnerabilities.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > So if while PIV certificates may include the anyEKU but do<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> not<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > contain any valid DNS name, browsers may reject it for SSL so<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> they<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > can be considered out of scope.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > I agree the much harder problem to resolve is whether to<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> include CAs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > with no EKUs that are capable of issuing SSL certificates,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> but I<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > don't have a good answer yet.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > Kelvin<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > -----Original Message----- From:
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On Behalf Of Jeremy<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> Rowley Sent:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > Thursday, August 8, 2013 9:04 AM To: 'Gervase Markham' Cc:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> 'CABFPub'
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > Subject: Re: [cabfpub] Ballot 108: Clarifying the scope of<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> the<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > baseline requirements<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > Yes - I am officially withdrawing the ballot pending further<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > consideration.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > I'm not sure how to overcome these obstacles since: 1) PIV-I<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> in the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > US space requires the anyEKU 2) Qualified Certs may require<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> no EKU 3)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > Certificates without an EKU or the anyEKU may be used as SSL<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > certificates 4) All SSL certificates should be covered by the<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> BRs 5)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > Qualified and PIV-I Certs cannot be covered by the BRs since<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> they<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > lack a FQDN 6) SSL Certificates without an FQDN are<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> considered local<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > host and explicitly covered by the BRs<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > I think the best option might be to simply acknowledge the<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > inconsistency and change the definition as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > "All root certificates included in a browser's trust store,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > subordinate CA certificates signed by one of these root<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> certificates,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > and all end-entity certificates that either lack any Extended<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> Key<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > Usage extension or contain an Extended Key Usage extension<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> that<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > contain (i) either an Internal Server Name or a FQDN and (ii)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> one of<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > the following: - Server Authentication (1.3.6.1.5.5.7.3.1) -<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > anyExtendedKeyUsage (2.5.29.37.0) - Netscape Server Gated<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > Cryptography (2.16.840.1.113730.4.1) - Microsoft Server Gated<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > Cryptography (1.3.6.1.4.1.311.10.3.3) are expressly covered<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> by these<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > requirements."<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > Jeremy<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > -----Original Message----- From: Gervase Markham<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > [<a href="mailto:gerv@mozilla.org">mailto:gerv@mozilla.org</a>] Sent: Thursday, August 08, 2013<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> 9:20 AM To:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > <a href="mailto:jeremy.rowley@digicert.com">
jeremy.rowley@digicert.com</a> Cc: 'CABFPub' Subject: Re:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> [cabfpub]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > Ballot 108: Clarifying the scope of the baseline requirements<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > On 02/08/13 12:19, Jeremy Rowley wrote:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> >> There is a potential conflict that I think needs more<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> data and<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> >> discussion:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > We agree; hence Mozilla votes NO on the ballot in its current<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> form.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > We would like to see it withdrawn until further information<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> can be<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > gathered. We very much support the goal of this ballot; we<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> want the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > BRs to cover all certs capable of being used by SSL servers.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> But we<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > need to figure out whether this requires a change in the<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> definition<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > of what the BRs cover, or a change (e.g. on clients) in the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > definition of "capable of being used by SSL servers". Or<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> something<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > else.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > Gerv<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> > <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > _______________________________________________ Public<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> mailing list
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > <a href="mailto:Public@cabforum.org">
Public@cabforum.org</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> <a href="https://cabforum.org/mailman/listinfo/public">
https://cabforum.org/mailman/listinfo/public</a> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > _______________________________________________ Public<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> mailing list
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"> > <a href="mailto:Public@cabforum.org">
Public@cabforum.org</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"> <a href="https://cabforum.org/mailman/listinfo/public">
https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></p>
</div>
</body>
</html>