[Servercert-wg] Soliciting feedback on potential changes to Qualified Website Authentication Certificates

[Ryan Sleevi]

Hi all,

As some members of the Forum are familiar, since 2015, representatives from
a variety of operating system and browser vendors have been engaged in
informal meetings with representatives from the Directorate-General for
Communications Networks, Content and Technology (DG CONNECT), the European
Union Agency for Cybersecurity (ENISA), and ETSI regarding the use and
recognition of QWACs within these software vendors’ products. Many members
likely recall the guest talk from Andrea Servida at the CA/B Forum F2F in
Istanbul for Meeting 36, on eIDAS and its potential.

Recently, as an output of these informal meetings, discussion with various
browsers and operating system vendors led to a proposal that may reduce the
the interoperability challenges that TSPs face that prevent wider and
interoperable use of QWACs with existing software, an ongoing pain point
for those issuing QWACs.

This proposal is fairly lightweight, a very small change to the existing
profile for QWACs, when embodied by ETSI ESI's set of documents, that is
believed will facilitate easier interoperability of QWACs with existing
software, as well as unlock new possibilities for the interoperable use of
QWACs. It does so by removing a currently mandatory requirement for QWACs,
making it an optional requirement instead, in order to promote greater
interoperability and ease of use.

In consultation with DG CONNECT, we wanted to share this proposal,
previously circulated among the aforementioned discussion participants, to
gather wider feedback and input from CAs, both that are members of the
Forum directly, as well as within respective member Root Programs but which
may not yet be members of the Forum.

I've attached as a PDF that describes the proposal, as well as its context
and history, which hopefully the new mailing list will not eat. If the
attachment has issues and isn't delivered, I'll see what can be done to
make it accessible for both Forum members and interested
parties/non-members alike and will update this thread.

For Forum members as well as interested parties (aka, those who have
posting privileges), the best way to send feedback would be on this list.

Alternatively, sending feedback to those included on the CC line, which
have participated in these discussions, is a great way to make sure
feedback is recorded and shared. It also works for those CAs that are not
members with posting privileges that are subscribed to this list.

Thanks, and we look forward to folks' input!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200114/3a5fa74c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Unified Technical Proposal and Q&A.pdf
Type: application/pdf
Size: 126432 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200114/3a5fa74c/attachment-0001.pdf>