<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Mads,<br>
      <br>
      On 1/3/2014 11:49 AM, Mads Egil Henriksveen wrote:<br>
    </div>
    <blockquote
cite="mid:93642F058956C0429DAFE965729E90A7261CE6D939@BPGVKEX1.intra.buypass.no"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 12 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Century Gothic";
        panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">The attack scenario assumes that the QC can be
            chained to a root cert in a trusted CA root store. This
            means that the CA should know the root store requirements
            and should be aware of the risk issuing any cert that could
            be used as an SSL certificate. <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">Buypass do issue both QC and SSL certificates
            and with the DigiNotar attack back in 2011 we realized that
            the browsers do accept a lot of certificates as SSL
            certificates. Since then we have had strict controls to
            ensure that no certificate is issued with an unverified
            domain name. I guess most of the trusted QC issuers who also
            issue SSL certificates are aware of this, I would not be
            very concerned about this attack scenario. <o:p></o:p></span></p>
      </div>
    </blockquote>
    What is the use case when in a QC we'd need a [any/unverified]
    domain name? (aren't CAs responsible for the accuracy of information
    in the QCs they issue?). <br>
    <blockquote
cite="mid:93642F058956C0429DAFE965729E90A7261CE6D939@BPGVKEX1.intra.buypass.no"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">However, I do support the idea of a technical
            definition of an SSL certificate and I like the proposal
            from Ryan Hurst requiring the BR/EV OIDs. <o:p></o:p></span></p>
      </div>
    </blockquote>
    Under ETSI framework compliance assumes two things: compliance with
    the corresponding requirements plus certificate profile compliance.
    These two categories exist as separate documents (under their own
    ETSI IDs).<br>
    Ryan's proposal is definitely a  good step forward, I'd vote with my
    both hands if we go even further, and like ETSI, have separate BR/EV
    profile specifications.<br>
    <br>
    Thanks,<br>
    M.D.<br>
  </body>
</html>