It seems to me that this idea of standardized profiles is essentially what ETSI was trying to accomplish with their "Qualified Statements", about which most participants in this group have had little good to say.
I'm sorry, I must have missed that discussion. What were the nature of the objections to the ETSI work? Was this in reference to the standard certificate policies defined in ETSI TS 101 456 and 102 042?
I personally don't have any objection to CAs adopting standardized certificate policies (including standard policy OIDs), in fact I think it would be a good thing. However in practice I think this is unlikely to happen for various reasons, mainly because a) I don't think the "vendors", i.e., the CAs and the various bodies like ETSI, ANSI X9, EAP, etc.) are really motivated to cooperate on doing this, and b) I don't think the "market" (i.e., CA customers and "relying parties") really cares about this.
(Although one could argue that standardized cert policies would make comparing CA offerings easier, and hence be a boon for cert buyers, I don't think that would make an actual difference in practice because I don't think cert buyers make buying decisions based primarily on CA policies -- it's more "can this CA sell me a cert that will cause my customers not to see warning dialogs?")
I also think that the ETSI classification of policies is a good attempt. My only point is that you still need a standardized mapping of the policies to particular types of certificate use (e.g., code signing, S/MIME email, and SSL servers in our case).
Also, a point of clarification: In the context of TS 101 456 and 102 042 the word "qualified" when used in connection with certificate policies has a specific meaning IIRC: it refers to cert policies that are legally aligned with EU member state digital signature laws. That's why TS 102 242 defines "non-qualified" (my term, not theirs) versions of the qualified policies defined in TS 101 456; the level of assurance is the same for the policies that have both qualified and non-qualified variants, but the legal implications are slightly different in terms of how the certs would be treated under EU and national laws and directives.
I'm not aware of any other efforts to standardize profiles.
Well, there's the EAP work I mentioned previously, but it is broader than just certs, and IIRC does not define standard policy OIDs.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
