Dear Erwann, My answers inline marked with ***
Le jeudi 29 septembre 2016 11:45:39 UTC+2, Varga Viktor a écrit : > Dear Peter, > > I am deeply in ETSI process, so I can give info some info: > > Formerly the ETSIs are based on > > * 102042 for CAs > * 101456 for CAs issuing qualified certificates (refernces frequently > the 102042) > > o BRG and EV is referenced from them for SSL and EV SSL certificate > issuance. > > The new version of these : (2016-02) (these are based on the 910/2014/EC > regulation, which makes a common EU market.) > > * 319411-1 for CAs > * 319412-2 for CAs issuing qualified certificates (refernces > frequently the 319411-1) You meant 319411-2 here. (319412-* are certificate profiles). *** You have right, it was misstyped. > o 319401 is referenced from them for technical requirements (technical > requirements from 102042 and 101456 were ripped of into this documents) > > o 319412-1 ,-2, -3, -4, -5 referenced from them for certificate profiles > o BRG and EV is referenced from them for SSL and EV SSL certificate > issuance. 319412-2 and 319412-3 are not used for TLS server certificates, 319412-1 is general and introduces some semantic identifiers that could be used in TLS server certs, 319412-4 is dedicated to TLS server certificates but is mostly an empty shell relying on EVG and BR, 319412-5 adds the QCStatements extension (MUST be present for Qualified certs, MAY be present for non Qualified certs). > For EU CAs the Microsoft forces to move to ETSI audit instead Webtrust. No. *** I accept your correction. I correct myself. I remember I read it somewhere, but can't find my source again. (Maybe I read it in a work version left on the net.) > The ETSI audit checks: > > * that the certificate issuance systems and environment are compliant > with the technical or requirements. (against 319401) > * that the certificate profiles meet the requirements (against 319412s) > * the CP/CPS and the practice of issuance compliant with the 319411-1 > (and for qualified certificates with 319411-2) > > o the 319411-1 and 319411-2 defines various Certification policies, and > rules for them. > > LCP, NCP, NCP+, DVCP, IVCP, OVCP, EVCP, and also the new qualified ones > (qcp-n, qpc-l, qcp-n-qscd, qcp-l-qscd, qcp-w) > > For DVCP, OVCP, IVCP, OVCP they references BRG and EVGL (and also for qcp-w, > which looks like a chimera for me :) ) > > At the end of audit each issuing subcas are checked against the compliance > with issuing policies, profiles, and technical requirements. > > Of-course the ETSI report, or its Annex also includes the whole list of the > subordinates too. > > Also the Microsoft doesn't accepts audit report without the subordinate list, > so its mandatory nowadays. > > I think what is important to add the 319411-1 and -2 to the actual acceptable > audit requirements, because the MS ask for this, and it older version (119411 > included in the 2.3 proposal) My view is that 319411-2 may be an acceptable audit requirements, but since QCP-w certificates (the chimera) are not easily compared to EV certificates (because the "Qualified" attribute is granted by a supervisory body to a TSP established on its territory only), it's useless to add 319411-2 as acceptable (a CA will necessarily be 319411-1). *** It's also a possible solution to left the 411-2 out, because 411-1 covers also the LCP, NCP, NCP+ signer and ecnryption certificates too, so SMIME usage is also covered. What I just want to recommend to add also the new numbers to the current Mozilla Policy. Regards, Viktor Varga _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
