<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 16/5/2024 12:20 μ.μ., Pedro FUENTES
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:D7AAEDCE-2002-46A5-BABA-CB21C702F025@wisekey.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hello Dimitris,
<div>I’m following closely this as I find very important.</div>
<div><br>
<div>About…</div>
<div>
<blockquote type="cite">
<div>This is easy to answer. Some use cases need
single-purpose client authentication certificates. There
are numerous use cases where client authentication
certificates are used for strong authentication, I'm sure
you are aware of such use cases. While client
authentication use cases can ALL be supported by
non-public CAs, there are some regulatory requirements
that demand such certificates be issued from an audited
and publicly-trusted CA. In fact, HARICA has participated
in public tenders where client authentication certificates
need to be issued from a CA that chains to Apple,
Microsoft and Mozilla Root Stores. Client authentication
certificates are asked in addition to server TLS
certificates.</div>
</blockquote>
</div>
<div><br>
</div>
<div>I don’t know if you didn’t mention Chrome for a particular
reason, </div>
</div>
</blockquote>
<br>
No particular reason. It's just a relatively new Root Program
compared to others and I haven't bumped into a public tender that
requires it :)<br>
<br>
<blockquote type="cite"
cite="mid:D7AAEDCE-2002-46A5-BABA-CB21C702F025@wisekey.com">
<div>
<div>but actually that’s the Root program that makes me scratch
my head while reading these discussions… because AFAIK they
only include Roots for TLS serverAuth purposes, and not for
clientAuth. So (again AFAIK, I may be wrong) you can’t propose
clientAuth-only certs that work in Chrome unless these come
from a Root that is included for TLS serverAuth.</div>
</div>
</blockquote>
<br>
AFAIK Apple and Mozilla also don't have a specific "trust bit" for
Client Authentication. Only Microsoft does.<br>
<br>
<blockquote type="cite"
cite="mid:D7AAEDCE-2002-46A5-BABA-CB21C702F025@wisekey.com">
<div>
<div><br>
</div>
<div>Apart of that, just to say that my current understanding is
that the BR as they are today don’t allow the issuance of
these certificates, </div>
</div>
</blockquote>
<br>
Sure, but that's not what we are discussing here. We are looking
whether this was done "on purpose" or "by accident"<br>
<br>
<blockquote type="cite"
cite="mid:D7AAEDCE-2002-46A5-BABA-CB21C702F025@wisekey.com">
<div>
<div>so maybe it’s more pragmatic to assume the status-quo, and
focus the discussion if the BR should be modified to
implicitly or explicitly allow this.</div>
</div>
</blockquote>
<br>
I don't want to assume the status-quo is here to stay without a
confirmation that the current rules are intended to be this way. If
they were not intended and there is no opposition to keeping this
restriction, fine. We will just add some language to clarify this.<br>
<br>
If there is opposition and CAs want to allow the right to issue
clientAuth Certificates from serverTLS issuing CAs, then we need to
discuss more. I'm not sure if there are any other options.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:D7AAEDCE-2002-46A5-BABA-CB21C702F025@wisekey.com">
<div>
<div><br>
</div>
<div>Just my two cents…</div>
<div><br>
</div>
<div>P <br id="lineBreakAtBeginningOfMessage">
<div><br>
</div>
<br>
<div>
<meta charset="UTF-8">
<div dir="auto"
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div dir="auto"
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div dir="auto"
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div
style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><font
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;"><b><font
style="font-size: 11px;"
color="#f62400"><br
class="Apple-interchange-newline">
WISeKey SA<br>
</font></b></font>
<div
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font
style="color: rgb(0, 0, 0); font-size: 12px; font-weight: normal; font-style: normal;"><span
style="font-size: 11px;"><b>Pedro
Fuentes<br>
</b>CSO - Trust Services Manager</span><br>
<font size="1">Office: + 41 (0) 22
594 30 00<br>
Mobile: + 41 (0) </font></font><span
style="color: rgb(0, 0, 0); font-size: x-small; font-weight: normal; font-style: normal;">791
274 790</span></div>
<div
style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><font
size="1">Address: </font></font><font
size="1">Avenue Louis-Casaï 58 | </font><span
style="font-size: x-small;">1216
Cointrin | Switzerland</span></div>
<div
style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font><font
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"
size="1"><b>Stay connected with <a
href="http://www.wisekey.com"
moz-do-not-send="true"><font
color="#f62400">WISeKey</font></a><br>
</b></font></font><span
style="caret-color: rgb(0, 0, 0); color: rgb(169, 169, 169); font-size: 10px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; orphans: 2; widows: 2;"><br>
</span></div>
<div
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;">
<div
style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span
style="orphans: 2; widows: 2;"><font
size="1" color="#78a600"><b>THIS
IS A TRUSTED MAIL</b>: This
message is digitally signed with
a WISeKey identity. If you get a
mail from WISeKey please check
the signature to avoid security
risks</font></span></div>
<div
style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span
style="orphans: 2; widows: 2; font-size: 9px;"><font color="#a9a9a9"><br>
</font></span></div>
<div
style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;">
<div style="orphans: 2; widows: 2;"><font
style="font-size: 9px;"
color="#a9a9a9"><b>CONFIDENTIALITY: </b>This
email and any files
transmitted with it can be
confidential and it’s intended
solely for the use of
the individual or entity to
which they are addressed. If you
are not the named addressee
you should not
disseminate, distribute or copy
this e-mail. If you have
received this email in error
please notify the sender</font></div>
<div style="orphans: 2; widows: 2;"><font
style="font-size: 9px;"
color="#a9a9a9"><br>
</font></div>
<div style="orphans: 2; widows: 2;"><font
style="font-size: 9px;"
color="#a9a9a9"><b>DISCLAIMER: </b>WISeKey
does not warrant the accuracy
or completeness of this message
and does not accept
any liability for any errors or
omissions herein as this message
has been transmitted over a
public network. Internet
communications cannot be
guaranteed to be secure or
error-free as information may be
intercepted, corrupted,
or contain viruses. Attachments
to this e-mail are checked for
viruses; however, we do not
accept any liability for any
damage sustained by
viruses and therefore you are
kindly requested to check for
viruses upon receipt.</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>