<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Richard,<br>
<br>
The <i>KeyUsage</i> bit combinations in my email were taken from
"Draft ETSI EN 319 412-2 V2.0.7 (2014-02)" which, as you know
well, is based on ETSI TS 102 280.<br>
<br>
The section 5.4.3 of the Draft addresses the security implications
including <i>KeyUsage</i> for QCs, which IMO is exactly what you
have correctly pointed out (see "<b>Security note:</b>").<br>
<br>
Hope this helped.<br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 11/5/2014 3:59 PM, tScheme Technical Manager wrote:<br>
</div>
<blockquote
cite="mid:078301cff900$be29cb40$3a7d61c0$@trevorah@tScheme.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Garamond;
panose-1:2 2 4 4 3 3 1 1 8 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Moudrick,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ve
always recommended that in a ‘pure’ QC then only the NR bit
should be set – as per an email I received (via FESA a
number of years ago) regarding situation in Italy:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:green"
lang="TR">About your question, also in Italy is strictly
forbidden use the key pair for qualified electronic
signature for other purpose. I fully agree with the
technical explanation provided by Adam. I can add that to
avoid other uses, the qualified certificates used for 5.1
electronic signature MUST contains as "Keyusage" (id-ce 15)
only the "nonRepudiation bit on ", and the "extended key
usage" (id-ce 37) must NOT be coded. </span><span lang="TR"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:green"
lang="TR">Finally, the qualified CA key pair used to
subscribe the end user QC cannot be used to subscribe other
kind of certificates which contain the "nonRepudiation bit
on" .</span><span lang="TR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="TR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
was based AIUI on the risk that DS can be used for
Authentication and there is a threat that the nonce to be
signed turns out to be a contract!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However,
as I said this was 7 years ago so maybe the Italian law has
changed since then!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Although,
as it says in RFC3739: “ Combining the nonRepudiation bit in
the keyUsage certificate extension with other keyUsage bits
may have security implications depending on the context in
which the certificate is to be used.”<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Best
regards<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Richard<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">------------------------------------<br>
Richard Trevorah<br>
Technical Manager<br>
tScheme Limited<br>
<br>
M: +44 (0) 781 809 4728<br>
F: +44 (0) 870 005 6311<br>
<br>
</span><span style="color:#1F497D"><a moz-do-not-send="true"
href="http://www.tscheme.org" target="_blank">http://www.tscheme.org</a><br>
</span>------------------------------------<br>
<br>
The information in this message and, if present, any
attachments are intended solely for the attention and use of
the named addressee(s). The content of this e-mail and its
attachments is confidential and may be legally privileged.
Unless otherwise stated, any use or disclosure is unauthorised
and may be unlawful.<br>
<br>
If you are not the intended recipient, please delete the
message and any attachments and notify the sender as soon as
practicable<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Moudrick
M. Dadashov<br>
<b>Sent:</b> 03 November 2014 22:24<br>
<b>To:</b> Rick Andrews; Eddy Nigg; Brian Smith<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] (Eventually) requiring
id-kpServerAuth for all certs in the chain?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Rick,<br>
<br>
EKUs are normally used on EE certificates but QCs profile
doesn't use it.<br>
<br>
Below is the allowed KeyUsage bit combinations (just in
case) for signature certs:<br>
<br>
<span
style="font-family:"Garamond","serif"">NR
DS KE/KA</span> <o:p></o:p></p>
<p style="margin-bottom:0cm;margin-bottom:.0001pt"><span
style="font-family:"Garamond","serif""
lang="LT">+ - -</span><span lang="LT"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Garamond","serif"">+
+ -<br>
- + -<br>
- + +<br>
- - +<br>
+ + +</span> <br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 11/4/2014 12:00 AM, Rick Andrews wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Can
one of our European colleagues comment about Qualified
certs? I seem to recall that was the sticky point when we
last discussed this.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Rick
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:36.0pt"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Eddy Nigg<br>
<b>Sent:</b> Monday, November 03, 2014 1:45 PM<br>
<b>To:</b> Brian Smith<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] (Eventually) requiring
id-kpServerAuth for all certs in the chain?</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">On
11/03/2014 11:36 PM, Brian Smith wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">On
Mon, Nov 3, 2014 at 1:32 PM, Eddy Nigg <<a
moz-do-not-send="true"
href="mailto:eddy_nigg@startcom.org"
target="_blank">eddy_nigg@startcom.org</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">On
11/03/2014 11:20 PM, Brian Smith wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"
style="margin-left:36.0pt">2. Require the
revocation of any intermediate
certificates that do not have an EKU
extension or have an EKU extension with
anyExtendedKeyUsage and/or have an EKU
extension with id-kp-serverAuth.<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-left:36.0pt">You
must be joking, aren't you? :-)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">Sorry,
I omitted a qualifier: "...that do not conform to
the BRs (e.g. are not technically constrained or
publicly audited)."<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">In
other words, require the revocation of CA
certificates that do not comply with the BRs, if
issued by a CA for which the BRs apply. Again,
this should already be the case.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal"
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt"><br>
Ah, that's something else :-)<br>
<br>
Thanks for confirming.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">-- <o:p></o:p></p>
<table class="MsoNormalTable" style="margin-left:36.0pt"
cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr>
<td colspan="2" style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal">Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal">Signer: <o:p></o:p></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal">Eddy Nigg, COO/CTO<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal">XMPP: <o:p></o:p></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><a moz-do-not-send="true"
href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal">Blog: <o:p></o:p></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://blog.startcom.org">Join the
Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal">Twitter: <o:p></o:p></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://twitter.com/eddy_nigg">Follow Me</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="color:windowtext"> </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>