[cabfpub] Agenda Items for Next Call

i-barreira at izenpe.net i-barreira at izenpe.net
Fri Nov 22 02:43:37 MST 2013 

Gooooood morning,

 

What I´m proposing is that have another reliable trust source for admitting a CA as a member on the CABF other than the browser root stores or at least in the meantime they´re applying to be included in these root stores. I´m not proposing to change any other of the requisites like certifications, samples, etc. 

 

Regarding the use of the TSL, well, it´s something that has been dealt in the CABF sometime, it´s something that worries some of the non EU CAs to work in the EU when the new regulation goes live in spring next year, it´s something that some root store providers are considering to include in their own programs (they can save resources if someone else do it for them at least for the European CAs) and finally it´s something that it´s in the law and mandatory (at least for qualified services).

 

I think that it´s not a big deal to say in the membership requirements criteria that for those european CAs (and there are from some other countries as you can check it in your house) to include the TL in which they are listed (and we can add that also probe that they are also requesting the inclusion in the browser root program).

 

Regarding the TSL, I can admit that it is not "easy" to follow and that depending on the country the difficulties are higher, for example, the Italian, German and Spanish TL are the bigger and OTOH you can have Malta, Cyprus, etc which have only one page, and this is something that was mentioned in the last ENISA workshop in Brussels in which some of the CABF members attended. And regarding the SSL/TLS certs, well, at the moment these are "non-qualified" services and then it´s not mandatory to be included in the country´s TL but voluntary (in Spain they are not included but in France they are). In any case, things are going to change and here you can have the "implementing act" regarding the TSL approved and that will be applied in the EU by February 2014.

 

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:306:0021:0039:EN:PDF

 

Regards

 

 

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

945067705

 

 

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

 

De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Erwann Abalea
Enviado el: jueves, 21 de noviembre de 2013 19:02
Para: public at cabforum.org
Asunto: Re: [cabfpub] Agenda Items for Next Call

 

Bonjour Iñigo,

Are you proposing to change the CABF membership rules to have the forum open to CAs that don't produce certificates defined by the forum and used by browsers? Being in the process for a browser inclusion doesn't imply that the process will succeed.

More specifically on the French TSL (easier for me to read):

*	the TSL is available at http://references.modernisation.gouv.fr/sites/default/files/TSL-FR.xml
*	it references https://references.modernisation.gouv.fr/fr and https://references.modernisation.gouv.fr/en for scheme information
*	those texts are not equivalent; the French one states that only RGS-certified are acceptable, the English one accepts CSP issuing non Qualified certificates without listing the acceptable approval schemes
*	the TSL contains a legal notice: "The applicable legal framework for the present TSL implementation of the Trusted List of supervised/accredited Certification Service Providers for FRANCE is the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures and its implementation in FRANCE laws. Its applicable legal framework under FRANCE laws is the ordinance 2005-1516 and the General Security Frame(RGS) decree" again refering to the RGS scheme

Ok, maybe the French TSL scheme is particularly not clear.

Let's have a look at the Spanish one, there's more people in it. But it also contains 4 CA certificates for 3 different entities with a 1024bits RSA key, to deliver Qualified certificates. Should these entities be accepted as CABF members? Should we trust the government agency responsible for TSL emission?

Let's look at the German one. It's not XML-signed, but comes as a zip file containing the XML file, a detached timestamp, and the TSC. Thus this list isn't authenticated, and was downloaded from a cleartext link. This TSL contains a lot of CAs, the large majority of them have expired, maybe 40% of them have 1024bits keys. Same questions.

This isn't exhaustive.



-- 
Erwann ABALEA
 

Le 20/11/2013 13:32, i-barreira at izenpe.net a écrit :

	Erwann, Richard, all,

	 

	I think I didn´t explain myself clearly or at least not the intention.

	What I meant is that for those CAs that are waiting to be included in the browser root programs and want to be a member of the CABF that they can apply indicating that they belong to their national TL, this is it. So, they can sign the IPR, they have the audit certifications in place, etc. but are awaiting to be included in the root program but already in the TL, then to consider by the CABF this option. 

	I didn´t mean to the audit requirements to the "qualified" web site certificates when the regulation comes to effect as Richard says and not to what kind of services you´re providing (qualified or not). 

	 

	Regarding the trusted lists,  the EU MS TL's are publicly available so anybody can check which TSP is listed for which type of services in each MS TL. There are some tools to do that.

	 

	OTOH, as far as I know the French list is listing not only the CA/QC services but also CA/PKC and TSA services which are approved against the French national approval scheme (RGS & TS 101 456 / TS 102 042 approval).
	 
	I think the French TL works like this :

	                + only certified CA by an accredited auditor can ask to be included in TL

	                + CA must do an application to SGMAP (French body) to be included in TL.

	                + audit report must be send to SGMAP.

	                + level can be 102 042 / 101 456 / RGS (1,2, 3 stars) / French law on QES

	 

	If you are certified RGS 1 or 2 stars CA, you can also claim for 102 042 in TL.

	If you are certified RGS 3 stars or French law on qualified signature you can also claim for 101 456 in TL.

	You can be only ETSI TS and not RGS, and then claim only TS status.

	 

	Regards

	 

	Iñigo Barreira
	Responsable del Área técnica
	i-barreira at izenpe.net

	945067705

	 

	

	ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
	ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

	 

	De: tScheme Technical Manager [mailto:richard.trevorah at tScheme.org] 
	Enviado el: miércoles, 20 de noviembre de 2013 12:09
	Para: Barreira Iglesias, Iñigo; ben at digicert.com
	CC: public at cabforum.org
	Asunto: RE: [cabfpub] Agenda Items for Next Call

	 

	Hi Iñigo,

	 

	I think that this is a bit premature, there is still not an agreed draft for the complete revised Regulation - let alone the scope and timescale for any Implementing Acts.

	 

	When there is an agreed definition and audit process for providers of Qualified  Certificates for Website Authentication, then that would be the time for discussion as to how they need to be reflected in the CA/Browser Forum's processes.

	 

	Best regards

	Richard

	------------------------------------
	Richard Trevorah
	Technical Manager
	tScheme Limited
	
	M: +44 (0) 781 809 4728
	F: +44 (0) 870 005 6311
	
	http://www.tscheme.org
	------------------------------------
	
	The information in this message and, if present, any attachments are intended solely for the attention and use of the named addressee(s). The content of this e-mail and its attachments is confidential and may be legally privileged. Unless otherwise stated, any use or disclosure is unauthorised and may be unlawful.
	
	If you are not the intended recipient, please delete the message and any attachments and notify the sender as soon as practicable

	 

	 

	From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of i-barreira at izenpe.net
	Sent: 20 November 2013 10:09
	To: ben at digicert.com; public at cabforum.org
	Subject: Re: [cabfpub] Agenda Items for Next Call

	 

	Hi Ben,

	 

	I´d like to update/modify the requirements for new applications, at least for EU CAs and incorporate the evidence of being part of their country TSL according to the new implementing act of the commission. I think it´s a minor change and won´t affect the EU (or from some other countries) applicants.

	Should I propose a ballot? Do I need to send more info?

	 

	Regards

	 

	Iñigo Barreira
	Responsable del Área técnica
	i-barreira at izenpe.net

	945067705

	 

	

	ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
	ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

	 

	De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Ben Wilson
	Enviado el: miércoles, 20 de noviembre de 2013 0:22
	Para: public at cabforum.org
	Asunto: [cabfpub] Agenda Items for Next Call

	 

	Here are some potential discussion items for this Thursday's call:

	 

	Discussion of Microsoft's SHA1 Announcement, Certificate lifetimes, SHA2 support, etc.

	Report on status of Ballot 89 (EV Processing)

	Discuss Ballot 107 (Remove specific references)

	Discuss Bylaw Revisions and potential ballot (11/18 email from Gerv) 

	Membership applications

	Report from Code Signing Working Group 

	Review of Web Site

	 

	Please let me know if you have any to add.

	
	Thanks,

	 

	Ben

	
	
	
	

	_______________________________________________
	Public mailing list
	Public at cabforum.org
	https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131122/708fb01b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
Url : https://cabforum.org/pipermail/public/attachments/20131122/708fb01b/attachment-0001.png

More information about the Public mailing list