<div dir="ltr">Dear all,<div><br></div><div>Qualified certificates are intended to identify people, not websites nor servers. There are no hard constrains regarding the usage of EKU KU values, but good practices are to use Non-repudiation and only non-repudiation (see <a href="http://www.ietf.org/rfc/rfc3039.txt">RFC3039</a>, section 3.2.3 in combination with <a href="http://www.etsi.org/deliver/etsi_ts/102200_102299/102280/01.01.01_60/ts_102280v010101p.pdf">ETSI TS 102 280</a>, section 5.4.3 and taking into account that Qualified Certificates are defined with purpose of creation Qualified Electronic Signatures legally binding!)</div>
<div><br></div><div>In fact any QC contents personal data (or pseudonym but the CSP MUST have the actual personal data bound to the pseudonym) so I do not think any will want to put her personal data authenticating a public website.</div>
<div><br></div><div>Since the purpose of a QC is quite different of the purpose of a SSL certificate and the first is legally constricted I do really think that BR's do not have to cover QC at all. Maybe it exists but I have never seen a QC authenticating a website.</div>
<div><br></div><div>IMHO trying to cover QC is going beyond the purpose of the BR, it will mesh up the whole think without adding security to SSL certificates.</div><div><br></div><div><br></div></div><div class="gmail_extra">
<br clear="all"><div><div dir="ltr"><table><tbody><tr><td><a href="http://www.firmaprofesional.com/" style="color:rgb(17,85,204)" target="_blank"><img alt="AC Firmaprofesional S.A." src="http://www.firmaprofesional.com/images/fp_firmas.png" border="0"></a><br>
</td><td style="color:rgb(153,153,153)"><p><font face="Arial"><b>Chema López González<br> <br>AC Firmaprofesional S.A.<br></b></font></p></td></tr><tr><td><br></td><td><br><span style="color:rgb(153,153,153);font-family:Arial;font-size:small">Av. Torre Blanca, 57.</span> <br>
<font color="#999999" style="color:rgb(153,153,153)"><span style="font-family:Arial;font-size:small">Edificio ESADECREAPOLIS - 1B13</span><br></font><blockquote style="padding:0px;border-style:none;margin:0px 0px 0px 40px">
</blockquote><font><span style="color:rgb(153,153,153);font-family:Arial;font-size:small"><div style="text-align:-webkit-auto">08173 Sant Cugat del Vallès. Barcelona.</div></span><div style="text-align:-webkit-auto"><font><font color="#999999">Tel: </font><a value="+34934774245" style="color:rgb(17,85,204)">93.477.42.45</a><font color="#999999"> /</font><font color="#3333ff"> <a>666.429.224</a></font></font></div>
</font></td></tr></tbody></table><br><div>El contenido de este mensaje y de sus anexos es confidencial. Si no es el destinatario, le hacemos saber que está prohibido utilizarlo, divulgarlo y/o copiarlo sin tener la autorización correspondiente. Si ha recibido este mensaje por error, le agradeceríamos que lo haga saber inmediatamente al remitente y que proceda a destruir el mensaje.</div>
</div></div>
<br><br><div class="gmail_quote">On Thu, Dec 19, 2013 at 5:52 PM, Stephen Davidson <span dir="ltr"><<a href="mailto:S.Davidson@quovadisglobal.com" target="_blank">S.Davidson@quovadisglobal.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><div class="im"><p class="MsoNormal"><span style="color:#1f497d">> Are qualified certs issued from the same root as BR certs?<u></u><u></u></span></p><p class="MsoNormal">
<span style="color:#1f497d"><u></u> <u></u></span></p></div><p class="MsoNormal"><span style="color:#1f497d">Yes.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal">
<span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal">
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Jeremy Rowley<br>
<b>Sent:</b> Thursday, December 19, 2013 12:51 PM<br><b>To:</b> <a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a>; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a></span></p>
<div class="im"><br><b>Subject:</b> Re: [cabfpub] Definition of an SSL certificate<u></u><u></u></div><p></p></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="color:#1f497d">So:<u></u><u></u></span></p>
<div class="im"><p><u></u><span style="color:#1f497d"><span>1)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="color:#1f497d">Qualified certs CAN be used for TLS Server Authentication since they may include anyEKU or serverAuth in the EKU extension<u></u><u></u></span></p>
<p><u></u><span style="color:#1f497d"><span>2)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="color:#1f497d">Qualified Certs do NOT comply with the BRs, they comply with the appropriate ESTI standard. <u></u><u></u></span></p>
<p><u></u><span style="color:#1f497d"><span>3)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="color:#1f497d">Qualified certs are only distinguishable from BR certs because qualified certs assert a QCStatement<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Is this a fair summary? <u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
</div><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b><a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a></span></p>
<div><div class="h5"><br><b>Sent:</b> Thursday, December 19, 2013 9:25 AM<br><b>To:</b> <a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Definition of an SSL certificate<u></u><u></u></div></div><p></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="color:#1f497d">Yes, but with some additional points<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p><u></u><span style="color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="color:#1f497d">Mark Jansen is right albeit it depends on national legislation. In Spain, you have to indicate what EKU is to be used.<u></u><u></u></span></p>
<p><u></u><span style="color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="color:#1f497d">DV or OV will never be considered Qualified certs. EV possibly and will have some impacts<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><div><p class="MsoNormal" style="line-height:9.75pt"><b><span style="font-size:8.5pt;font-family:"Tahoma","sans-serif""><u></u> <u></u></span></b></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif"">Iñigo Barreira</span></b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif""><br>
Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a><u></u><u></u></span></p><p class="MsoNormal"><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif"">945067705</span><span lang="ES-TRAD" style="color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="ES" style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span lang="ES" style="font-size:9.0pt;font-family:"Century Gothic","sans-serif";color:#244061"><img border="0" width="591" height="88" src="cid:image001.jpg@01CEFCB9.3BB46330" alt="Descripción: Descripción: Descripción: firma_izenpe_navid-OK-2"></span></b><span lang="ES" style="color:#1f497d"><u></u><u></u></span></p>
</div><p class="MsoNormal"><span lang="ES" style="color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De:</span></b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>En nombre de </b>Jeremy Rowley<br>
<b>Enviado el:</b> jueves, 19 de diciembre de 2013 17:06<br><b>Para:</b> CABFPub<br><b>Asunto:</b> [cabfpub] Definition of an SSL certificate<u></u><u></u></span></p></div></div><p class="MsoNormal"><span lang="ES"><u></u> <u></u></span></p>
<p class="MsoNormal">We are looking to clarify the scope of the BRs. Right now the BR scope is very loose and subjective: “This version of the Requirements only addresses Certificates intended to be used for authenticating servers accessible through the Internet.”<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">This loose definition excludes internal names (which are not typically accessible through the Internet), a type of certificate the BRs are clearly designed to regulate (see 11.1.4). In addition, a CA could easily issue a certificate outside of the BRs that could later be used in a TLS/SSL attack simply because the certificate wasn’t intended to be used for SSL. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Issuance of certificates outside the BRs may not be intentional, especially by CAs who aren’t regularly issuing SSL certificates. These CAs may not be aware that the BRs apply to their certificates and may not realize their client certificates could be used for SSL since “authenticating servers” is not a well-defined term. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Clarifying the scope will ensure that every CA is aware of the minimum standards and what they cover. Originally, the idea was to tie the scope to the values in the EKU. Unfortunately, there are several obstacles to this approach:<u></u><u></u></p>
<p>1)<span style="font-size:7.0pt;font-family:"Times New Roman","serif""> </span>Grid Certificates require serverAuth in the EKU. It’s unclear whether these certs should be covered.<u></u><u></u></p>
<p>2)<span style="font-size:7.0pt;font-family:"Times New Roman","serif""> </span>Per 5280, browsers treat the absence of an EKU and the anyEKU as serverAuth, meaning they are enabled for TLS Server Authentication.<u></u><u></u></p>
<p>3)<span style="font-size:7.0pt;font-family:"Times New Roman","serif""> </span>The FBCA requires anyEKU in several certificates. These are clearly client certificates and are outside the BR scope.<u></u><u></u></p>
<p>4)<span style="font-size:7.0pt;font-family:"Times New Roman","serif""> </span>Qualified certificates in the EU have either the anyEKU present or omit the EKU. They are client certs and clearly not covered by the BRs. However, they can be used for server authentication.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">For qualified certificates, Moudrick provided the following guidance:<u></u><u></u></p><p>“Certificates using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application.<u></u><u></u></p>
<p><u></u> <u></u></p><p>If a CA includes extended key usages to satisfy such applications, but does not wish to restrict usages of the key, the CA can include the special KeyPurposeId anyExtendedKeyUsage ***in addition to the particular key purposes required by the applications***.<u></u><u></u></p>
<p><u></u> <u></u></p><p>So a QC pretending to be RFC 5280/BR and ETSI (web server QCs) compliant would have to at least have:<u></u><u></u></p><p><u></u> <u></u></p><p>QC + [anyEKU] + id-kp-serverAuth + {DV/OV/EV}<u></u><u></u></p>
<p><u></u> <u></u></p><p>I'm quite confident that the absolute majority of QCs issued so far (that have anyEKU, see Mark Janssen's 08/08/2013 - thank you Stephen) do not contain any DV/OV/EV policy IDs, so why not accept them as BR compliant but not sufficient for TSL/SSL establishment?<u></u><u></u></p>
<p><u></u> <u></u></p><p>In order for a QC to have a TSL/SSL capability, BR may require:<u></u><u></u></p><p><u></u> <u></u></p><p>QC + {{id-kp-serverAuth and/or id-kp-clientAuth} + {DV/OV/EV}} (optionally no anyKEY allowed).<u></u><u></u></p>
<p><u></u> <u></u></p><p>A practical interpretation: a WEB server that also does some web site related document/content signing.”<u></u><u></u></p><p><u></u> <u></u></p><p>There appears to be a significant conflict between the CAB Forum’s work and the standards set by other bodies. In particular, their use of the anyEKU or omission of an EKU is permitting the realm of client certs to overlap SSL certs. Approaching each government body to stop this practice is not feasible and will take a very long time to complete<u></u><u></u></p>
<p><u></u> <u></u></p><p>Hopefully this summary helps inspire ideas on where we can go from here. I’m looking forward to ideas. <u></u><u></u></p><p><u></u> <u></u></p><p>Thanks!<u></u><u></u></p><p><u></u> <u></u></p><p>
Jeremy<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>