<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Rick,<br>
<br>
On 1/3/2014 8:09 PM, Rick Andrews wrote:<br>
</div>
<blockquote
cite="mid:544B0DD62A64C1448B2DA253C011414607C15D563A@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mads,
Moudrick,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Are
CAs that issue QCs audited by some ETSI audit equivalent to
BRs, in which the auditors check that the CA verified any
domain names that appear in QCs?<o:p></o:p></span></p>
</div>
</blockquote>
Yes, according to ETSI SR 003 091 V1.1.1 (2012-04) "Recommendations
on Governance and Audit Regime for CAB Forum Extended Validation and
Baseline Certificates", CAs in order to comply with BRs have to be
audited against ETSI TS 102 042. And this is irrelevant to whether
you are issuing QCs or not.<br>
<br>
Thanks,<br>
M.D.<br>
<blockquote
cite="mid:544B0DD62A64C1448B2DA253C011414607C15D563A@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Also,
to respond to Mads’ earlier question about the
id-kp-clientAuth EKU bit: Symantec generally sets both
clientAuth and serverAuth EKU bits, because we have many
customers who use the certificate for server-to-server
communication. Each endpoint has an SSL cert, and one acts
as the client while one acts as the server, and they use
their certs to authenticate each other.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Rick<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of
</b>Mads Egil Henriksveen<br>
<b>Sent:</b> Friday, January 03, 2014 3:52 AM<br>
<b>To:</b> Moudrick M. Dadashov; Jeremy Rowley;
<a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Definition of an SSL
certificate<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Moudrick<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There
might not be a real use case for including a domain name
in a QC, but as a trusted CA we take the responsibility
for the accuracy of information in all certs we issue. And
that was my point and why I am not very concerned about
the described attack scenario. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mads<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of
</b>Moudrick M. Dadashov<br>
<b>Sent:</b> 3. januar 2014 11:51<br>
<b>To:</b> Mads Egil Henriksveen; Jeremy Rowley;
<a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Definition of an SSL
certificate<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="NO-BOK"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="NO-BOK">Mads,<br>
<br>
On 1/3/2014 11:49 AM, Mads Egil Henriksveen wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span
lang="NO-BOK"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
attack scenario assumes that the QC can be chained to a
root cert in a trusted CA root store. This means that
the CA should know the root store requirements and
should be aware of the risk issuing any cert that could
be used as an SSL certificate. </span><span
lang="NO-BOK"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span
lang="NO-BOK"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Buypass
do issue both QC and SSL certificates and with the
DigiNotar attack back in 2011 we realized that the
browsers do accept a lot of certificates as SSL
certificates. Since then we have had strict controls to
ensure that no certificate is issued with an unverified
domain name. I guess most of the trusted QC issuers who
also issue SSL certificates are aware of this, I would
not be very concerned about this attack scenario. </span><span
lang="NO-BOK"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="NO-BOK">What is the use case when in a QC we'd need
a [any/unverified] domain name? (aren't CAs responsible
for the accuracy of information in the QCs they issue?). <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span
lang="NO-BOK"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However,
I do support the idea of a technical definition of an SSL
certificate and I like the proposal from Ryan Hurst
requiring the BR/EV OIDs. </span><span lang="NO-BOK"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NO-BOK">Under ETSI framework
compliance assumes two things: compliance with the
corresponding requirements plus certificate profile
compliance. These two categories exist as separate
documents (under their own ETSI IDs).<br>
Ryan's proposal is definitely a good step forward, I'd
vote with my both hands if we go even further, and like
ETSI, have separate BR/EV profile specifications.<br>
<br>
Thanks,<br>
M.D.<o:p></o:p></span></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>