<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>On 16-Sept-2013, Chema López González <clopez@firmaprofesional.com> wrote,<o:p></o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>>Wouldn't it be easier if BSR and EVR were in fact a Certificate Policy and then, each <o:p></o:p></p><p class=MsoNormal>>Certification Services Provider (CSP), through its Certification Practices Statement (CPS) <o:p></o:p></p><p class=MsoNormal>>demonstrated than they fulfil the Policy Requirements so the SSL certificate could use this <o:p></o:p></p><p class=MsoNormal>>OID?<o:p></o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>>Here in Spain we have hundreds of OIDs from different CSP and it is a real nightmare trying <o:p></o:p></p><p class=MsoNormal>>to mange it. I wrote about it (<a href="http://isigmaglobal.com/2012/05/18/growing-certificate-policies-cp/">http://isigmaglobal.com/2012/05/18/growing-certificate-policies-cp/</a>) <o:p></o:p></p><p class=MsoNormal>>more than a year ago ... but things are getting worst. Do you think it is sensible that each CSP <o:p></o:p></p><p class=MsoNormal>>in the world need to use its own OID to issue certificates that MUST fulfil the same >requirements worldwide?<o:p></o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>>Best regards, <o:p></o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>>Chema.<o:p></o:p></p><p class=MsoNormal>><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Chema,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>That is a good idea. It would be good to re-write both guidelines into a single CP in RFC3647 format and then include all of the CABF OIDs in section 1.2 (policy identification). Maybe when NIST releases its next version of the reference CP we can take a look at doing that.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Ben <o:p></o:p></span></p></div></body></html>