[cabfpub] RV: [cabfman] Ballot 171? for updating the ETSI standards in the CABF documents

Ryan Sleevi sleevi at google.com
Thu Jun 16 09:55:54 MST 2016


On Thu, Jun 16, 2016 at 1:02 AM, Barreira Iglesias, Iñigo <
i-barreira at izenpe.eus> wrote:

> Ryan,
>
>
>
> 411-2 says that “all the requirements defined for EVCP in ETSI EN 319
> 411-1 shall apply for issuing QCP-w”, so, if you feel more comfortable
> admitting only 411-1, I see no issue but I still don´t understand why
> because if a TSP only wants to issue qualified certificates, and get his
> audit in 411-2 for QCPw (which means that all the requirements for EVCP
> defined in 411-1 applies), what are you going to do with these qualified
> certificates? Are you going to accept it or not? If not, why?
>

No, it will not be accepted if not presented with a 411-1 audit.

As I tried to indicate several times, 411-2 is necessarily different than
411-1 - if they were the same, we wouldn't have 411-2!

Saying 411-2 requires 411-1 is like saying the Baseline Requirements
requires RFC 5280 compliance - which it does, but then the BRs define
exceptions for 5280 where it makes sense (e.g. non-critical name
constraints). So we can't argue that the BRs are out-and-out identical to
5280, since there's conflict.

411-2's approach means that, as root programs, we'd have to be evaluating
all changes to 411-1 to make sure they're reflecting the EVGs, but then
ALSO check all changes to 411-2 to make sure no clause of 411-2 supersedes
or overrides or conflicts with that of 411-1.

If a QCP-w cert doesn't bear the CA's EVCP OID (as audited to 411-1), then
the QCP-w would be treated as DVCP, at best.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160616/088b96d5/attachment.html 


More information about the Public mailing list