On Wed, Apr 17, 2019 at 2:23 PM Doug Beattie <doug.beat...@globalsign.com> wrote:
> > The ETSI requirements for QWAC are complicated and not all that clear to > me, but is it possible to use OV certificate and Policy OIDs as the base > instead of EV? Since OV permits additional Subject Attributes, then that > approach would not be noncompliant. > > Certainly issuing a QWAC needs to have vetting done in alignment with the > EVGL, but by virtue of including the QualifiedStatement, you've asserted > that, even if the certificate Policy OID claims only OV (OV being a subset > EV, so it’s not a lie to say it’s OV validated). > - CertificatePolicy: CA can specify OV and also include this Policy OID: > 0.4.0.194112.1.4 > - qualifiedStatement: qcs-QcCompliance is specified > > Is that contradictory? If not, then I'm probably just missing the > statement that a QWAC MUST be an EV certificate with EV Policy OIDs. > What you describe is not contradictory, but my understanding of the existing ETSI EN requirements is that would present challenges. That is, if the TSP has EV-enabled their QWAC OID, then they would not be able to do that, because their EV-enablement is a committment to follow the EVGs. If the TSP has not EV-enabled their QWAC OID, then they may be able to, with caveats. However, it's unclear, from a 319 403 perspective, whether or not TS 119 495 can override the requirements of EN 319 411-2, which incorporate the EVGs for QWACs. This question is not something we could answer - it would be the responsibility of each member states supervisory body when assessing the CARs provided by the CAB as to whether or not the CAB's assessment evaluated against EN 319 411-2 and whether the modifications of requirements by TS 119 495 are allowed to override those. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
