[cabfpub] SAN private extensions pursuant specific SSL/EV Spanish ruled profile

Kirk Hall Kirk.Hall at entrust.com
Thu Jul 14 18:08:40 UTC 2016


To my mind, the provisions of BR Sec. 8 and 9.16.3, and EVGL Sec. 8.1, could be interpreted as allowing the laws and regulations of Spain concerning certificate profiles and content to override the requirements of the BRs and EVGL.

Accordingly, there may be no need for Spanish CAs to do anything differently as to the earlier certs – they can assert to their auditors that Spanish law and regulation is allowed to control on this issue, and so they are in full compliance because of BR Sec. 8 and 9.16.3, and EVGL Sec. 8.1.  See below.

BR 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS
The CA SHALL at all times:
1. Issue Certificates and operate its PKI in accordance with all law applicable to its business and the Certificates it issues in every jurisdiction in which it operates;
2. Comply with these Requirements;
3. Comply with the audit requirements set forth in this section; and
4. Be licensed as a CA in each jurisdiction where it operates, if licensing is required by the law of such jurisdiction for the issuance of Certificates.

BR 9.16.3. Severability
If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Requirements accordingly.

EVGL 8. Community and Applicability
8.1. Issuance of EV Certificates
The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements.  If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: Wednesday, July 6, 2016 1:56 PM
To: Chema Lopez <clopez at firmaprofesional.com>; public at cabforum.org
Subject: Re: [cabfpub] SAN private extensions pursuant specific SSL/EV Spanish ruled profile

I recall  there being some discussion on another list about this (perhaps Mozilla) and maybe others that follow that could comment.

If you want to bring this up on the CABF call, please let me know. Unfortunately this week’s agenda is full but we could schedule it for 2 weeks from now.

Thanks
Dean

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Chema Lopez
Sent: Wednesday, June 29, 2016 1:34 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] SAN private extensions pursuant specific SSL/EV Spanish ruled profile

Dear all.

There was a law in Spain that regulates the profile for some specific certificates, i.e.:

  1.  Civil Servant or Public Employee (natural person certificate)
  2.  Electronic Seal for Automated Administrative Action
  3.  Electronic Office Certificate (SSL or EV for Public Administrations)
You can find the profiles attached (unfortunately only in Spanish).

The problem is that these profiles required private extensions in the SAN, and this conflicts BR and EV Guidelines. At least, crt.sh shows this extensions as an error. See the private extensions below.
[Inline images 1]

This law has been repealed recently and the new one does not require this extensions but, how do we, Spanish TSP, handle the SSL and EV certificates issued following the previous law? In my opinion, an exception needs to be added.

Thanks in advance for your comments.

Best regards,


Chema López González
Director Área de Innovación, Cumplimiento y Tecnología
AC Firmaprofesional S.A.



Av. Torre Blanca, 57.
Edificio ESADECREAPOLIS - 1B13
08173 Sant Cugat del Vallès. Barcelona.
Tel: 93.477.42.45 / 666.429.224


El contenido de este mensaje y de sus anexos es confidencial. Si no es el destinatario, le hacemos saber que está prohibido utilizarlo, divulgarlo y/o copiarlo sin tener la autorización correspondiente. Si ha recibido este mensaje por error, le agradeceríamos que lo haga saber inmediatamente al remitente y que proceda a destruir el mensaje.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160714/1bc2fc1d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 45711 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160714/1bc2fc1d/attachment-0003.png>


More information about the Public mailing list