[cabfpub] Agenda Items for Next Call

Erwann Abalea erwann.abalea at keynectis.com
Thu Nov 21 11:01:47 MST 2013 

Bonjour Iñigo,

Are you proposing to change the CABF membership rules to have the forum 
open to CAs that don't produce certificates defined by the forum and 
used by browsers? Being in the process for a browser inclusion doesn't 
imply that the process will succeed.

More specifically on the French TSL (easier for me to read):

  * the TSL is available at
    http://references.modernisation.gouv.fr/sites/default/files/TSL-FR.xml
  * it references https://references.modernisation.gouv.fr/fr and
    https://references.modernisation.gouv.fr/en for scheme information
  * those texts are not equivalent; the French one states that only
    RGS-certified are acceptable, the English one accepts CSP issuing
    non Qualified certificates without listing the acceptable approval
    schemes
  * the TSL contains a legal notice: "/The applicable legal framework
    for the present TSL implementation of the Trusted List of
    supervised/accredited Certification Service Providers for FRANCE is
    the Directive 1999/93/EC of the European Parliament and of the
    Council of 13 December 1999 on a Community framework for electronic
    signatures and its implementation in FRANCE laws. Its applicable
    legal framework under FRANCE laws is the ordinance 2005-1516 and the
    General Security Frame(RGS) decree/" again refering to the RGS scheme

Ok, maybe the French TSL scheme is particularly not clear.

Let's have a look at the Spanish one, there's more people in it. But it 
also contains 4 CA certificates for 3 different entities with a 1024bits 
RSA key, to deliver Qualified certificates. Should these entities be 
accepted as CABF members? Should we trust the government agency 
responsible for TSL emission?

Let's look at the German one. It's not XML-signed, but comes as a zip 
file containing the XML file, a detached timestamp, and the TSC. Thus 
this list isn't authenticated, and was downloaded from a cleartext link. 
This TSL contains a lot of CAs, the large majority of them have expired, 
maybe 40% of them have 1024bits keys. Same questions.

This isn't exhaustive.
<https://references.modernisation.gouv.fr/en>

-- 
Erwann ABALEA

Le 20/11/2013 13:32, i-barreira at izenpe.net a écrit :
>
> Erwann, Richard, all,
>
> I think I didn´t explain myself clearly or at least not the intention.
>
> What I meant is that for those CAs that are waiting to be included in 
> the browser root programs and want to be a member of the CABF that 
> they can apply indicating that they belong to their national TL, this 
> is it. So, they can sign the IPR, they have the audit certifications 
> in place, etc. but are awaiting to be included in the root program but 
> already in the TL, then to consider by the CABF this option.
>
> I didn´t mean to the audit requirements to the "qualified" web site 
> certificates when the regulation comes to effect as Richard says and 
> not to what kind of services you´re providing (qualified or not).
>
> Regarding the trusted lists,  the EU MS TL's are publicly available so 
> anybody can check which TSP is listed for which type of services in 
> each MS TL. There are some tools to do that.
>
> OTOH, as far as I know the French list is listing not only the CA/QC 
> services but also CA/PKC and TSA services which are approved against 
> the French national approval scheme (RGS & TS 101 456 / TS 102 042 
> approval).
>
> I think the French TL works like this :
>
>                 + only certified CA by an accredited auditor can ask 
> to be included in TL
>
>                 + CA must do an application to SGMAP (French body) to 
> be included in TL.
>
>                 + audit report must be send to SGMAP.
>
>                 + level can be 102 042 / 101 456 / RGS (1,2, 3 stars) 
> / French law on QES
>
> If you are certified RGS 1 or 2 stars CA, you can also claim for 
> 102 042 in TL.
>
> If you are certified RGS 3 stars or French law on qualified signature 
> you can also claim for 101 456 in TL.
>
> You can be only ETSI TS and not RGS, and then claim only TS status.
>
> Regards
>
> *Iñigo Barreira*
> Responsable del Área técnica
> i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
>
> 945067705
>
> Descripción: cid:image001.png at 01CE3152.B4804EB0
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta 
> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada 
> (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, 
> korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o 
> confidencial a la que solo tiene derecho a acceder el destinatario. Si 
> usted lo recibe por error le agradeceriamos que no hiciera uso de la 
> informacion y que se pusiese en contacto con el remitente.
>
> *De:*tScheme Technical Manager [mailto:richard.trevorah at tScheme.org]
> *Enviado el:* miércoles, 20 de noviembre de 2013 12:09
> *Para:* Barreira Iglesias, Iñigo; ben at digicert.com
> *CC:* public at cabforum.org
> *Asunto:* RE: [cabfpub] Agenda Items for Next Call
>
> Hi Iñigo,
>
> I think that this is a bit premature, there is still not an agreed 
> draft for the complete revised Regulation -- let alone the scope and 
> timescale for any Implementing Acts.
>
> When there is an agreed definition and audit process for providers of 
> Qualified  Certificates for Website Authentication, then that would be 
> the time for discussion as to how they need to be reflected in the 
> CA/Browser Forum's processes.
>
> Best regards
>
> Richard
>
> ------------------------------------
> Richard Trevorah
> Technical Manager
> tScheme Limited
>
> M: +44 (0) 781 809 4728
> F: +44 (0) 870 005 6311
>
> http://www.tscheme.org
> ------------------------------------
>
> The information in this message and, if present, any attachments are 
> intended solely for the attention and use of the named addressee(s). 
> The content of this e-mail and its attachments is confidential and may 
> be legally privileged. Unless otherwise stated, any use or disclosure 
> is unauthorised and may be unlawful.
>
> If you are not the intended recipient, please delete the message and 
> any attachments and notify the sender as soon as practicable
>
> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *i-barreira at izenpe.net
> *Sent:* 20 November 2013 10:09
> *To:* ben at digicert.com; public at cabforum.org
> *Subject:* Re: [cabfpub] Agenda Items for Next Call
>
> Hi Ben,
>
> I´d like to update/modify the requirements for new applications, at 
> least for EU CAs and incorporate the evidence of being part of their 
> country TSL according to the new implementing act of the commission. I 
> think it´s a minor change and won´t affect the EU (or from some other 
> countries) applicants.
>
> Should I propose a ballot? Do I need to send more info?
>
> Regards
>
> *Iñigo Barreira*
> Responsable del Área técnica
> i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
>
> 945067705
>
> Descripción: cid:image001.png at 01CE3152.B4804EB0
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta 
> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada 
> (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, 
> korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o 
> confidencial a la que solo tiene derecho a acceder el destinatario. Si 
> usted lo recibe por error le agradeceriamos que no hiciera uso de la 
> informacion y que se pusiese en contacto con el remitente.
>
> *De:*public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> 
> [mailto:public-bounces at cabforum.org] *En nombre de *Ben Wilson
> *Enviado el:* miércoles, 20 de noviembre de 2013 0:22
> *Para:* public at cabforum.org <mailto:public at cabforum.org>
> *Asunto:* [cabfpub] Agenda Items for Next Call
>
> Here are some potential discussion items for this Thursday's call:
>
> Discussion of Microsoft's SHA1 Announcement, Certificate lifetimes, 
> SHA2 support, etc.
>
> Report on status of Ballot 89 (EV Processing)
>
> Discuss Ballot 107 (Remove specific references)
>
> Discuss Bylaw Revisions and potential ballot (11/18 email from Gerv)
>
> Membership applications
>
> Report from Code Signing Working Group
>
> Review of Web Site
>
> Please let me know if you have any to add.
>
>
> Thanks,
>
> Ben
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131121/7f4c9cf9/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19121 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20131121/7f4c9cf9/attachment-0001.png

More information about the Public mailing list