<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 1/3/2014 9:32 PM, Jeremy Rowley
      wrote:<br>
    </div>
    <blockquote cite="mid:015301cf08ba$9a6ae630$cf40b290$@digicert.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
        {font-family:"Segoe Script";
        panose-1:2 11 5 4 2 0 0 0 0 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:windowtext;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle24
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle25
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle26
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle27
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle28
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle29
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sorry
            – I got the discussion a bit off-track. </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
            issue is not whether domain names are vetted, but the fact
            that the BRs do not clearly define what certs are covered. 
            There is a significant gray area on when certificates are
            exempt from the BRs.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
            requiring the BR/EV OID is not a possibility, I’d define the
            scope as any certificate that either (i) specifies a domain
            name in the CN field or subjectAltName extension and
            includes the anyEKU or serverAuth or omits an EKU or (ii) is
            intended to enable SSL/TLS, as evidenced by inclusion of the
            serverAuth EKU.  <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
      </div>
    </blockquote>
    Once again, relying on BR/EV OID would be really good solution.<br>
    <br>
    Jeremy, to my understanding RFC 5280 accepts anyEKU only in
    combination with any other EKU but not as the only EKU:<br>
    <br>
    “Certificates using applications MAY require that the extended key
    usage extension be present and that a particular purpose be
    indicated in order for the certificate to be acceptable to that
    application.<br>
    <p>If a CA includes extended key usages to satisfy such
      applications, but does not wish to restrict usages of the key, the
      CA can include the special KeyPurposeId anyExtendedKeyUsage ***in
      addition to the particular key purposes required by the
      applications***.<br>
    </p>
    So based on this:<br>
    SSL server: = SAN + serverAuth + [anyEKU+EKU]<br>
    SSL client:= [SAN] +clientAuth + [anyEKU+EKU]<br>
    <br>
    Thanks,<br>
    M.D.<br>
    <br>
    <blockquote cite="mid:015301cf08ba$9a6ae630$cf40b290$@digicert.com"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Although
            the definition needs word smithing, it captures the
            certificates of primary concern (those containing domain
            names) without excluding internal server name certs.
            Thoughts?<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Jeremy<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                Brown, Wendy (10421) [<a class="moz-txt-link-freetext" href="mailto:wendy.brown@protiviti.com">mailto:wendy.brown@protiviti.com</a>]
                <br>
                <b>Sent:</b> Friday, January 03, 2014 12:08 PM<br>
                <b>To:</b> Jeremy Rowley; 'Mads Egil Henriksveen';
                'Moudrick M. Dadashov'; <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                <b>Subject:</b> RE: [cabfpub] Definition of an SSL
                certificate<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
            requirement to verify is in the CP – the details of How goes
            in the CPS.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                Jeremy Rowley [<a moz-do-not-send="true"
                  href="mailto:jeremy.rowley@digicert.com">mailto:jeremy.rowley@digicert.com</a>]
                <br>
                <b>Sent:</b> Friday, January 03, 2014 2:03 PM<br>
                <b>To:</b> Brown, Wendy (10421); 'Mads Egil
                Henriksveen'; 'Moudrick M. Dadashov'; <a
                  moz-do-not-send="true"
                  href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                <b>Subject:</b> RE: [cabfpub] Definition of an SSL
                certificate<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
            Wendy for the clarification.  However, I didn’t see anything
            specifying how the CA is supposed to verify the domain.  <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                Brown, Wendy (10421) [<a moz-do-not-send="true"
                  href="mailto:wendy.brown@protiviti.com">mailto:wendy.brown@protiviti.com</a>]
                <br>
                <b>Sent:</b> Friday, January 03, 2014 11:55 AM<br>
                <b>To:</b> Jeremy Rowley; 'Mads Egil Henriksveen';
                'Moudrick M. Dadashov'; <a moz-do-not-send="true"
                  href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                <b>Subject:</b> RE: [cabfpub] Definition of an SSL
                certificate<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
            FBCA and Common Policy CPs actually require all information
            included in a certificate to be verified – so that would
            include any domain names, see 3.2.4.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:11.0pt;font-family:"Segoe
            Script","sans-serif";color:#1F497D">Wendy<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="font-size:11.0pt;font-family:"Segoe
            Script","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Wendy
            Brown<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">FPKIMA
            Technical Liaison<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Protiviti
            Government Services<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">703-299-4705
            (office)    703-965-2990 (cell)<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a
              moz-do-not-send="true" href="mailto:wendy.brown@fpki.gov">wendy.brown@fpki.gov</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a
              moz-do-not-send="true"
              href="mailto:wendy.brown@protiviti.com">wendy.brown@protiviti.com</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                <a moz-do-not-send="true"
                  href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
                [<a moz-do-not-send="true"
                  href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
                <b>On Behalf Of </b>Jeremy Rowley<br>
                <b>Sent:</b> Friday, January 03, 2014 11:19 AM<br>
                <b>To:</b> 'Mads Egil Henriksveen'; 'Moudrick M.
                Dadashov'; <a moz-do-not-send="true"
                  href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                <b>Subject:</b> Re: [cabfpub] Definition of an SSL
                certificate<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Many
            of the trusted QC issuers (and other community issuers) are
            not involved in the CAB Forum.  Although you are aware of
            the requirements, I don’t think this knowledge is global. 
            For example, I don’t think the NIST CP or FBCA CP ever
            mentions domain validation. A CA following either CP for
            client certs wouldn’t necessarily validate an included
            domain.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Jeremy<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                <a moz-do-not-send="true"
                  href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
                [<a moz-do-not-send="true"
                  href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
                <b>On Behalf Of </b>Mads Egil Henriksveen<br>
                <b>Sent:</b> Friday, January 03, 2014 4:52 AM<br>
                <b>To:</b> Moudrick M. Dadashov; Jeremy Rowley; <a
                  moz-do-not-send="true"
                  href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                <b>Subject:</b> Re: [cabfpub] Definition of an SSL
                certificate<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
            Moudrick<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There
            might not be a real use case for including a domain name in
            a QC, but as a trusted CA we take the responsibility for the
            accuracy of information in all certs we issue. And that was
            my point and why I am not very concerned about the described
            attack scenario.  <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mads<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                <a moz-do-not-send="true"
                  href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
                [<a moz-do-not-send="true"
                  href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
                <b>On Behalf Of </b>Moudrick M. Dadashov<br>
                <b>Sent:</b> 3. januar 2014 11:51<br>
                <b>To:</b> Mads Egil Henriksveen; Jeremy Rowley; <a
                  moz-do-not-send="true"
                  href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                <b>Subject:</b> Re: [cabfpub] Definition of an SSL
                certificate<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><span lang="NO-BOK"><o:p> </o:p></span></p>
        <div>
          <p class="MsoNormal"><span lang="NO-BOK">Mads,<br>
              <br>
              On 1/3/2014 11:49 AM, Mads Egil Henriksveen wrote:<o:p></o:p></span></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span
              lang="NO-BOK"><o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
              attack scenario assumes that the QC can be chained to a
              root cert in a trusted CA root store. This means that the
              CA should know the root store requirements and should be
              aware of the risk issuing any cert that could be used as
              an SSL certificate. </span><span lang="NO-BOK"><o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span
              lang="NO-BOK"><o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Buypass
              do issue both QC and SSL certificates and with the
              DigiNotar attack back in 2011 we realized that the
              browsers do accept a lot of certificates as SSL
              certificates. Since then we have had strict controls to
              ensure that no certificate is issued with an unverified
              domain name. I guess most of the trusted QC issuers who
              also issue SSL certificates are aware of this, I would not
              be very concerned about this attack scenario. </span><span
              lang="NO-BOK"><o:p></o:p></span></p>
        </blockquote>
        <p class="MsoNormal" style="margin-bottom:12.0pt"><span
            lang="NO-BOK">What is the use case when in a QC we'd need a
            [any/unverified] domain name? (aren't CAs responsible for
            the accuracy of information in the QCs they issue?). <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span
            lang="NO-BOK"><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However,
            I do support the idea of a technical definition of an SSL
            certificate and I like the proposal from Ryan Hurst
            requiring the BR/EV OIDs. </span><span lang="NO-BOK"><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="NO-BOK">Under ETSI framework
            compliance assumes two things: compliance with the
            corresponding requirements plus certificate profile
            compliance. These two categories exist as separate documents
            (under their own ETSI IDs).<br>
            Ryan's proposal is definitely a  good step forward, I'd vote
            with my both hands if we go even further, and like ETSI,
            have separate BR/EV profile specifications.<br>
            <br>
            Thanks,<br>
            M.D.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:windowtext">NOTICE:
            Protiviti is a global consulting and internal audit firm
            composed of experts specializing in risk and advisory
            services. Protiviti is not licensed or registered as a
            public accounting firm and does not issue opinions on
            financial statements or offer attestation services. <br>
            <br>
            This electronic mail message is intended exclusively for the
            individual or entity to which it is addressed. This message,
            together with any attachment, may contain confidential and
            privileged information. Any views, opinions or conclusions
            expressed in this message are those of the individual sender
            and do not necessarily reflect the views of Protiviti Inc.
            or its affiliates. Any unauthorized review, use, printing,
            copying, retention, disclosure or distribution is strictly
            prohibited. If you have received this message in error,
            please immediately advise the sender by reply email message
            to the sender and delete all copies of this message. Thank
            you.<o:p></o:p></span></p>
        <pre><o:p> </o:p></pre>
      </div>
    </blockquote>
    <br>
  </body>
</html>